Refer to the exhibit. An IAM policy is attached to an IAM user. The user tries to upload an object to `s3://my-bucket/secret/data.txt` from an IP address in the 10.0.0.0/8 range. What will happen?
Deny overrides Allow, and conditions match.
Why this answer
Option B is correct. The Deny statement explicitly denies s3:PutObject (part of s3:*) for the prefix secret/ when the source IP is in 10.0.0.0/8. Since the condition matches, the Deny overrides the Allow.
Option A is wrong because the Deny applies. Option C is wrong because the Deny is conditional, not unconditional. Option D is wrong because there is no explicit Deny for other IPs, but the condition applies to the user's IP.