Question 268:
You have an S3 bucket that stores photos. You also configure the Web Identity Federations (Amazon, Google, and Facebook) to provide temporary credentials to users who can download the photos from the bucket. Each web identity provider has its own directory in the bucket. You want to make sure that federated users can only access their specific folder. Which of the following S3 bucket policy is suitable?
Answer options:
A.{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/Amazon/*",
"arn:aws:s3:::BUCKET-NAME/Google/*",
"arn:aws:s3:::BUCKET-NAME/Facebook/*"
]
}
}
B.{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/${aws:FederatedProvider}/*"
}
}
C.{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "${aws:FederatedProvider}",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::BUCKET-NAME/",
"arn:aws:s3:::BUCKET-NAME/*"
]
}
}
D.{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET-NAME/*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "${aws:FederatedProvider}"
}
}
}
}