You are an AWS administrator in an IT company. You need to manage a large number of S3 buckets across multiple AWS accounts. These S3 buckets should have different access policies, and you are considering using S3 access control lists (ACLs) to manage the permissions. Among the following situations, which of them can you use S3 ACLs to configure? (Select TWO.)

Answer options:

A.Grant read-only permissions to an IAM user who belongs to a third-party AWS account. The user needs the read access for audit purposes.
B.Allow the permission of S3:PutObject on the condition that the server-side encryption with SSE-KMS is requested.
C.A bucket allows 10 other AWS accounts to list, create and delete their objects.
D.Explicit deny other AWS accounts to read or write the bucket permissions to prevent other accounts from modifying them.
E.Enable public access for an S3 bucket. The access is read-only and the write permission is still not granted to the public.

Correct Answer – C, E
S3 access control lists (ACLs) belong to resource-based access policies, and it is a legacy access control mechanism that predates IAM. The introductions of ACLs can be found in https://docs.aws.amazon.com/AmazonS3/latest/dev/S3_ACLs_UsingACLs.html.
Option A is incorrect: In ACLs, you can grant permissions only to AWS accounts. You cannot select an IAM user in an S3 ACL.
Option B is incorrect: Unlike S3 bucket policies, you cannot create an ACL policy with a condition.
Option C is CORRECT: The access for other AWS accounts can be granted as below snapshot:
Option D is incorrect: Because explicit deny is not configurable in S3 ACLs. Users can only add explicit allows in ACLs.
Option E is CORRECT: Read public access is configurable. Take the below screenshot as an example: