A developer needs to grant an IAM user read-only access to an S3 bucket named 'my-bucket'. Which policy should be attached to the IAM user?
Trap 1: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:…
Only allows listing the bucket, not reading objects.
Trap 2: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:…
Allows all S3 actions on all resources, too permissive.
Trap 3: {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:…
Allows write access, not read-only.
- A
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListBucket","Resource":"arn:aws:s3:::my-bucket"}]}
Why wrong: Only allows listing the bucket, not reading objects.
- B
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:*","Resource":"*"}]}
Why wrong: Allows all S3 actions on all resources, too permissive.
- C
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:PutObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
Why wrong: Allows write access, not read-only.
- D
{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:GetObject","Resource":"arn:aws:s3:::my-bucket/*"}]}
Correctly allows read-only access to objects in the bucket.