Question 290 of 509
Comparing and Contrasting Data ConceptsmediumMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is that DataAnalyst can read objects in the prod bucket except those in the sensitive subfolder. This is because AWS IAM policy evaluation follows a fundamental rule: explicit Deny statements always override any Allow statements, regardless of the order in which they appear. In the exhibit, the Allow for s3:GetObject on the entire prod bucket is effectively blocked by the Deny on the sensitive subfolder, which uses a condition key like s3:prefix to target that specific path. On the CompTIA Data+ DA0-001 exam, this scenario tests your understanding of IAM deny precedence and how conditional access controls restrict data access within a bucket. A common trap is assuming that a broad Allow will override a more specific Deny, but the opposite is true. Remember the mnemonic “Deny Defeats All” — when you see a Deny, it always wins, so always check for explicit Deny statements first when evaluating effective permissions.

DA0-001 Comparing and Contrasting Data Concepts Practice Question

This DA0-001 practice question tests your understanding of comparing and contrasting data concepts. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Exhibit

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:role/DataAnalyst"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::company-data/prod/*"},{"Effect":"Deny","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::company-data/prod/sensitive/*"}]}

Refer to the exhibit. A data analyst is trying to understand access permissions for the company-data bucket. Which statement accurately describes the effective permissions?

Question 1mediummultiple choice
Full question →

Exhibit

{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"arn:aws:iam::123456789012:role/DataAnalyst"},"Action":"s3:GetObject","Resource":"arn:aws:s3:::company-data/prod/*"},{"Effect":"Deny","Principal":"*","Action":"s3:GetObject","Resource":"arn:aws:s3:::company-data/prod/sensitive/*"}]}

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

DataAnalyst can read objects in prod bucket except those in the sensitive subfolder.

Option A is correct because the exhibit shows an IAM policy that grants the DataAnalyst user s3:GetObject permission on the prod bucket, but includes a Deny effect for the sensitive subfolder via a condition key (e.g., s3:prefix). AWS IAM evaluates explicit Deny statements before Allow statements, so the Deny on the sensitive subfolder overrides the Allow on the bucket, effectively blocking read access to objects in that subfolder while permitting reads elsewhere in the bucket.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • DataAnalyst can read objects in prod bucket except those in the sensitive subfolder.

    Why this is correct

    Allow on prod/*, Deny on prod/sensitive/* explicitly blocks access to sensitive subfolder.

    Related concept

    Read the scenario before looking for a memorised answer.

  • DataAnalyst can read all objects in the prod bucket, including the sensitive subfolder.

    Why it's wrong here

    Deny overrides Allow, so sensitive subfolder is blocked.

  • No one can read from the prod bucket except DataAnalyst.

    Why it's wrong here

    Deny applies to everyone for sensitive subfolder, but Allow applies only to DataAnalyst for other objects.

  • Only DataAnalyst is allowed to read from the entire prod bucket.

    Why it's wrong here

    Deny blocks even DataAnalyst from sensitive subfolder.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often assume an Allow statement on a bucket grants full access to all objects, forgetting that an explicit Deny on a subfolder (via a condition key) takes precedence and creates a narrower effective permission.

Detailed technical explanation

How to think about this question

Under the hood, AWS IAM evaluates policies using a default-deny model: an explicit Deny always overrides any Allow, and the order of evaluation is explicit Deny, then Allow, then default Deny. This means that even if a bucket policy or user policy grants s3:GetObject on the bucket, a Deny with a condition like s3:prefix=sensitive/ will block access to that path. In real-world scenarios, this pattern is used to enforce least privilege, such as allowing a data analyst to read production data but restricting access to personally identifiable information (PII) in a subfolder.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related DA0-001 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free DA0-001 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this DA0-001 question test?

Comparing and Contrasting Data Concepts — This question tests Comparing and Contrasting Data Concepts — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: DataAnalyst can read objects in prod bucket except those in the sensitive subfolder. — Option A is correct because the exhibit shows an IAM policy that grants the DataAnalyst user s3:GetObject permission on the prod bucket, but includes a Deny effect for the sensitive subfolder via a condition key (e.g., s3:prefix). AWS IAM evaluates explicit Deny statements before Allow statements, so the Deny on the sensitive subfolder overrides the Allow on the bucket, effectively blocking read access to objects in that subfolder while permitting reads elsewhere in the bucket.

What should I do if I get this DA0-001 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on DA0-001

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. Refer to the exhibit. A data analyst notices that direct S3 access to files outside the "incoming/" prefix is blocked. Which data governance principle does this policy enforce?

medium
  • A.Data colocation
  • B.Data retention
  • C.Data access control
  • D.Data encryption

Why C: The policy blocks direct S3 access to files outside the 'incoming/' prefix, which restricts which users or roles can read or write objects in specific S3 prefixes. This is a classic implementation of data access control, as it enforces permissions based on the resource path, ensuring only authorized operations are allowed on designated data. In AWS S3, such restrictions are typically applied via bucket policies or IAM policies that use conditions like `s3:prefix` to limit access.

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This DA0-001 practice question is part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the DA0-001 exam.