A company stores customer documents in cloud object storage. The provider already offers encryption at rest and physical security. Which action most directly reduces the risk of unauthorized access to the stored files?

Assume the provider's default settings are sufficient because encryption at rest is already enabled.

Default settings often do not enforce least privilege or restrict who can read the objects.

Move the documents to a public bucket so users can access them without friction.

Public access increases exposure and contradicts the goal of reducing unauthorized access risk.

Disable encryption at rest so administrators can troubleshoot access problems more easily.

Removing encryption weakens protection and does nothing to reduce unauthorized access risk.

What does this SY0-701 question test?

Authentication checks who the user is.

What is the correct answer to this question?

The correct answer is: Configure least-privilege IAM roles, bucket policies, and object permissions for approved users only. — The most direct way to reduce unauthorized access in cloud object storage is to control who can read or modify the data. Least-privilege IAM roles, bucket policies, and object permissions ensure only approved identities can access the documents. Even when the provider encrypts data at rest, access control remains the customer's responsibility and is usually the first line of defense against exposure. Why others are wrong: Relying on defaults is risky because default permissions may be broader than necessary. Making a bucket public obviously increases exposure and is incompatible with the security goal. Disabling encryption removes a protective layer and has no real value for access reduction. The question is about access control, so permissions and IAM configuration are the correct focus.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.