An investigator finds the above IAM policy attached to an S3 bucket. What is the security concern?
Principal: * allows any user to perform GetObject.
Why this answer
Option C is correct because the IAM policy's `Principal` is set to `"*"` (wildcard), which means any unauthenticated user or anonymous entity on the internet can perform the `s3:GetObject` action. This makes the S3 bucket publicly readable, exposing all objects stored in the bucket to anyone who knows the bucket name and object key. The `Effect` is `Allow` and there is no condition restricting access, so the policy grants open read access to the entire bucket.
Exam trap
EC-Council often tests the distinction between a wildcard `Principal` (public access) and a wildcard `Resource` (which is normal for bucket policies), so candidates mistakenly think the `/*` in the Resource field is the security issue, when it is actually the `"*"` in the Principal field that creates the vulnerability.
How to eliminate wrong answers
Option A is wrong because the `Resource` field uses `arn:aws:s3:::example-bucket/*`, which correctly includes all objects within the bucket (the `/*` suffix covers all object keys). Option B is wrong because the policy version `2012-10-17` is the current and recommended version for IAM policies; there is no security concern tied to using this version. Option D is wrong because the policy only grants `s3:GetObject` (read) permission, not `s3:PutObject` or any write action, so it does not allow anyone to write objects to the bucket.