You have created a new S3 bucket and you would like to configure read and write access to this bucket, only for users who are members of the Development, Test and QA teams. Each team has a different IAM Group defined in AWS. Which of the following is the simplest way to configure this?
Correct answer: Use a bucket policy to allow read and write access to the Development, Test and QA IAM groups
This is not correct as group arns cannot be added as principals in bucket policy. You would need to list individual users in those groups in the bucket policy which would make it the same thing as creating 1 Iam policy and attaching to those users aka option D- Create an IAM policy allowing read / write access to only this bucket and attach it to each user in the Development, Test and QA teams
The actual response should be create a customer managed iam policy that allows read and write access only to this bucket and attach to the iam groups
1 Answers
Thanks for spotting this, I’ll take a look and see if it need changing!
It still keeps wrong answer, hopefully it could be corrected soon.
Still wrong answer
You cannot specify IAM groups and instance profiles as principals.
sounds reasonable when looking at https://acloud.guru/forums/aws-certified-security-specialty/discussion/-Li86l776mCyF5b8FYKD/bucket_policy_showing_error
I second that 🙂
agree