Question 448:
A company has a new S3 bucket that stores very sensitive files. These objects are supposed to be used only by IAM admin user. Other IAM users or roles should not have access. Users in other AWS accounts cannot assume any role in reading the S3 objects either. You plan to use the S3 bucket policy to apply the security rules. Which option is the most secure one?
Answer options:
A.{ "Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": [
"arn:aws:iam::444455556666:user/Admin",
"arn:aws:iam::444455556666:root" ]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*" ]
}]
}
B.{ "Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"NotPrincipal": {"AWS": [
"arn:aws:iam::444455556666:user/Admin",
"arn:aws:iam::444455556666:root" ]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*" ]
}]
}
C.{ "Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"NotPrincipal": {"AWS": [
"arn:aws:iam::444455556666:user/User1",
"arn:aws:iam::444455556666:user/User2",
…
"arn:aws:iam::444455556666:user/UserX" ]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*" ]
}]
}
D.{ "Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Principal": {"AWS": [
"arn:aws:iam::444455556666:user/User1",
"arn:aws:iam::444455556666:user/User2",
…
"arn:aws:iam::444455556666:user/UserX" ]},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*" ]
}]
}