Question 808 of 1,040
Design Secure ArchitectureshardMultiple ChoiceObjective-mapped

Quick Answer

The answer is to create one S3 access point per team and attach an access point policy that limits that team to its own prefix. This design directly solves the need for S3 access point per team prefix isolation because each access point acts as a dedicated entry point with its own policy, allowing you to restrict access to a specific prefix like s3://shared-bucket/team-a/ without touching the bucket policy or enabling ACLs. On the SAA-C03 exam, this scenario tests your understanding of how S3 Access Points decouple permission management from the bucket, especially when a monolithic bucket policy becomes too large and error-prone. A common trap is to suggest separate buckets or IAM policies with complex conditions, but the correct approach leverages access point policies for clean, scalable isolation. Memory tip: think of each access point as a private door into the same shared room, where the door’s lock (policy) only opens for one team’s corner.

SAA-C03 Design Secure Architectures Practice Question

This SAA-C03 practice question tests your understanding of design secure architectures. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: s3 Access Points simplify access management for shared buckets.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

Bucket configuration for arn:aws:s3:::corp-shared-data:
- S3 Block Public Access: enabled
- Object Ownership: BucketOwnerEnforced
- ACLs: disabled

Bucket policy excerpt:
- 17 separate statements grant GetObject and PutObject to different team roles
- Each statement uses a team-specific prefix condition

Audit note:
"A recent policy edit granted Team B access to Team C's uploads for 18 minutes before rollback."

Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "best"

    Why it matters: Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

Question 1hardmultiple choice
Study the full ACL explanation →

Exhibit

Bucket configuration for arn:aws:s3:::corp-shared-data:
- S3 Block Public Access: enabled
- Object Ownership: BucketOwnerEnforced
- ACLs: disabled

Bucket policy excerpt:
- 17 separate statements grant GetObject and PutObject to different team roles
- Each statement uses a team-specific prefix condition

Audit note:
"A recent policy edit granted Team B access to Team C's uploads for 18 minutes before rollback."

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Create one S3 access point per team and attach an access point policy that limits that team to its own prefix.

Option C is correct because S3 Access Points allow you to create separate access points for each team, each with its own policy that restricts access to a specific prefix (e.g., s3://shared-bucket/team-a/). This eliminates the need for a large, error-prone bucket policy while keeping ACLs disabled, as access is managed through IAM policies and access point policies. It also maintains a single shared bucket, simplifying management and cost allocation.

Key principle: S3 Access Points simplify access management for shared buckets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Re-enable object ACLs and manage access by setting object-level ACLs for each team's prefix.

    Why it's wrong here

    This reintroduces ACL management complexity and conflicts with the requirement to avoid ACLs. It also makes permissions harder to audit and easier to misconfigure.

  • Split the bucket into one bucket per team and keep using a single shared bucket policy for all of them.

    Why it's wrong here

    Separate buckets can work, but they multiply operational overhead and still require policy management across many buckets. The question asks for a better redesign of the access model, not just more buckets.

  • Create one S3 access point per team and attach an access point policy that limits that team to its own prefix.

    Why this is correct

    S3 access points are designed for simplifying access management to shared buckets. A separate access point per team keeps the bucket private, avoids ACLs, and lets each team have a smaller, easier-to-review policy boundary. This reduces the blast radius of a policy mistake and scales far better than a single giant bucket policy with many prefix rules.

    Clue confirmation

    The clue word "best" in the question point toward this answer.

    Related concept

    S3 Access Points simplify access management for shared buckets.

  • Make the bucket public and issue presigned URLs for team access so IAM policies are no longer needed.

    Why it's wrong here

    Presigned URLs are useful for temporary access, but making the bucket public violates the security requirement. Public access would also expose the bucket beyond the intended internal teams.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may think splitting the bucket per team (Option B) is simpler, but they overlook that a single shared bucket with access points is more cost-effective and manageable, and that ACLs (Option A) are explicitly disallowed by the requirement.

Detailed technical explanation

How to think about this question

S3 Access Points are unique hostnames that enforce a dedicated access policy, which can be combined with IAM policies for fine-grained control. Each access point has its own policy document that can specify conditions like s3:prefix or s3:delimiter, ensuring teams only see their own data. This approach scales to thousands of teams without hitting the 20 KB bucket policy size limit, and it integrates with AWS CloudTrail for per-access-point auditing.

KKey Concepts to Remember

  • S3 Access Points simplify access management for shared buckets.
  • Each Access Point has a distinct hostname and can have its own policy.
  • Access Point policies can restrict access to specific prefixes within a bucket.
  • Access Points allow granular permissions without modifying the bucket policy or using ACLs.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

S3 Access Points simplify access management for shared buckets.

Real-world example

How this comes up in practice

A startup's cloud architect reviews their monthly bill and notices costs are higher than expected for a long-running batch job. Switching from on-demand instances to Reserved Instances — or using Spot/Preemptible VMs — can reduce compute costs by up to 72 %. Questions like this test whether you understand the tradeoffs between commitment, flexibility, and cost across cloud pricing models.

What to study next

Got this wrong? Here's your next step.

Review s3 Access Points simplify access management for shared buckets., then practise related SAA-C03 questions on the same topic to reinforce the concept.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAA-C03 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Design Secure Architectures — This question tests Design Secure Architectures — S3 Access Points simplify access management for shared buckets..

What is the correct answer to this question?

The correct answer is: Create one S3 access point per team and attach an access point policy that limits that team to its own prefix. — Option C is correct because S3 Access Points allow you to create separate access points for each team, each with its own policy that restricts access to a specific prefix (e.g., s3://shared-bucket/team-a/). This eliminates the need for a large, error-prone bucket policy while keeping ACLs disabled, as access is managed through IAM policies and access point policies. It also maintains a single shared bucket, simplifying management and cost allocation.

What should I do if I get this SAA-C03 question wrong?

Review s3 Access Points simplify access management for shared buckets., then practise related SAA-C03 questions on the same topic to reinforce the concept.

Are there clue words in this question I should notice?

Yes — watch for: "best". Signals that multiple options may be partially correct. Choose the option that most directly solves the exact problem described, not the one that sounds most complete.

What is the key concept behind this question?

S3 Access Points simplify access management for shared buckets.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SAA-C03

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Based on the exhibit, the company has one shared S3 bucket for many internal teams. Security wants each team to access only its own prefix, ACLs must remain disabled, and the current bucket policy has become too large and error-prone. What is the best redesign?

hard
  • A.Re-enable object ACLs and manage access by setting object-level ACLs for each team's prefix.
  • B.Split the bucket into one bucket per team and keep using a single shared bucket policy for all of them.
  • C.Create one S3 access point per team and attach an access point policy that limits that team to its own prefix.
  • D.Make the bucket public and issue presigned URLs for team access so IAM policies are no longer needed.

Why C: Option C is correct because S3 Access Points allow you to create separate access points for each team, each with its own policy that restricts access to a specific prefix (e.g., s3://shared-bucket/team-a/). This eliminates the need for a large, error-prone bucket policy while keeping ACLs disabled, meeting the security requirement for per-team prefix isolation without modifying the underlying bucket configuration.

Keep practising

More SAA-C03 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.