Exam AWS Certified Security - Specialty SCS-C02 topic 1 question 242 discussion

3️⃣ Combining Policies — How AWS evaluates this: AWS uses a combination of IAM policies and resource-based policies (like bucket policies). For Alice to access an S3 bucket: • Either the IAM policy or the bucket policy must allow the action (they don’t both need to allow it). • If one policy allows access and the other doesn’t mention it (or allows it too), access is granted. • Access is denied only if an explicit “Deny” exists in either policy — which isn’t present here. Since: • Bucket1’s policy allows Alice access. • Alice’s IAM policy allows access to bucket2. 👉 Alice can access both bucket1 and bucket2 — no conflicts or denies are present.

IAM policies are evaluated first. Bucket policies are evaluated after IAM policies. An explicit deny will override any allows. If there are no explicit denies, then an explicit allow will grant access.

C. IAM policies and S3 bucket policies can both used for access control https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Its B since Alice's IAM policy only allows Bucket 2. Access to Bucket 1 will be denied unless this IAM Policy is updated.

bucket1 has a policy that explicitly allows user "alice" access to arn:aws:s3:::bucket1/*. bucket2 has no bucket policy, but "alice"’s IAM policy allows access to arn:aws:s3:::bucket2/*. Here's the access situation: bucket1: User "alice" can access bucket1 because the bucket policy explicitly allows it. bucket2: User "alice" can access bucket2 because her IAM policy grants her permission to it, and there is no bucket policy to restrict this access. So, user "alice" can access both bucket1 and bucket2. Therefore, the correct answer is C. Both bucket1 and bucket2.

it should be C https://www.examtopics.com/discussions/amazon/view/68809-exam-aws-certified-security-specialty-topic-1-question-89/

only bucket 2, so B