A company stores sensitive documents in an Amazon S3 bucket. The security team requires that only IAM users from a specific AWS account can access the bucket. Which solution is the MOST secure and requires the LEAST operational overhead?

Answer options:

Create an IAM role in the specific account and attach an identity-based policy.

Use an S3 bucket policy that denies access unless the Principal is the specific AWS account ID.

Enable S3 Block Public Access and use S3 Access Points.

Configure a VPC endpoint for S3 and restrict access to the VPC.

How to approach this question

Identify the requirement: restrict S3 access by AWS account. Resource-based policies (bucket policies) are best for this.

Full Answer

B.Use an S3 bucket policy that denies access unless the Principal is the specific AWS account ID.✓ Correct

Use an S3 bucket policy to restrict access to the specific AWS account ID.

An S3 bucket policy is a resource-based policy that can explicitly grant or deny access based on the Principal (AWS account ID), providing a centralized and low-overhead security control.

Common mistakes

Confusing IAM identity policies with S3 bucket policies for resource-level restrictions.

All questions Question 02

Practice the full AWS SAA-C03 Practice Exam 3

65 questions · hints · full answers · grading

More questions from this exam

Q02A large enterprise uses AWS Organizations to manage multiple accounts. The security team wants to...Medium Q03A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (AL...Easy Q04A company wants to continuously monitor its AWS accounts for malicious activity and unauthorized ...Medium Q05A company needs to encrypt data at rest in Amazon RDS and manage database credentials securely. T...Medium Q06An application running on Amazon EC2 needs to access an Amazon DynamoDB table. What is the MOST s...Easy

View all 65 questions →