Your organization uses Amazon S3 buckets to save critical project documents. You have created a Bucket “test2021bucket” for this purpose. Users (UserA & UserB) need the Get, Put & Delete access to their individual folders. In the future, the policy needs to be unique when replicated to many users globally. Which of the following is a correct policy statement that can be applied with the least effort to meet this requirement?

Answer options:

A.{
 "Version":"2012-10-17",
 "Statement":[
 {
 "Effect":"Allow",
 "Action":[
 "s3:PutObject",
 "s3:GetObject",
 "s3:DeleteObject",
 ],
 "Resource":"arn:aws:s3:::test2021bucket/*"
 }
 ]
}
B.{
 "Version":"2012-10-17",
 "Statement":[
 {
 "Effect":"Allow",
 "Action":[
 "s3:PutObject",
 "s3:GetObject",
 "s3:DeleteObject",
 ],
 "Resource":"arn:aws:s3:::test2021bucket/UserA/*"
 }
 ]
}
C.{
 "Version":"2012-10-17",
 "Statement":[
{
"Effect":"Allow",
 "Action":[
 "s3:PutObject",
 "s3:GetObject",
 "s3:DeleteObject",
 ],
 "Resource":"arn:aws:s3:::test2021bucket/${aws:username}/*"
}
 ]
}
D.{
 "Version":"2012-10-17",
 "Statement":[
 {
 "Effect":"Allow",
 "Action":[
 "s3:PutObject",
 "s3:GetObject",
 "s3:DeleteObject",
 ],
 "Resource":"arn:aws:s3:::test2021bucket/${aws:userid}/*"
 }
 ]
}

Correct Answer: D
Instead of creating multiple access policies for each user, a single policy can be created with a policy variable & attached to a group. In the above case, UserA & UserB can be added to a single group. Using a policy variable ${aws:userid}, an access policy is created which evaluates user id for each user & grants access with specified actions only to individual folders created based upon user id.
Option A is incorrect as this will allow users to access all data in test2021bucket & will not restrict to individual folders in this bucket.
Option B is incorrect. Instead of creating a Policy statement for each user, a policy variable can be used to grant access to each user with the specific user id.
Option C is incorrect. Although IAM user names are friendly, human-readable identifiers, they are not required to be globally unique. For example, if user Bob leaves the organization and another Bob joins, then new Bob could access old Bob`s information. Users with identical names will be able to access each other’s folders in these buckets. Instead of user name, using the User ID, which is unique for each user, is a more secure option.
 For more information on S3 User policy, refer to the following URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html