A security analyst is using a cloud security posture management (CSPM) tool that reports a finding of "storage bucket publicly accessible." However, upon manual inspection, the bucket's ACL and bucket policy both restrict access to authorized users only. What is the most likely cause of the false positive?
Object-level ACLs can override bucket-level settings and cause a public access finding.
Why this answer
Option D is correct because individual objects within the bucket might have public ACLs, which CSPM might detect. Option A (CSPM misconfigured) is possible but less likely. Option B (policy syntax error) would cause error, not public access.
Option C (region mismatch) is irrelevant.