Exam AWS Certified Cloud Practitioner topic 1 question 77 discussion

Secrets Manager is for secrets (passwords) Network ACL is a statekless firewall working on IPs, not users. Security Groups are stateful firewall, not for user permissions. In this case I'd say tags: https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html "Object tags enable fine-grained access control of permissions. For example, you could grant an IAM user permissions to read-only objects with specific tags."

Option A, using AWS Secrets Manager, is not relevant to this requirement as it is a service for storing and retrieving secrets such as database credentials, API keys, and other sensitive information. Option B, tagging the objects in the S3 bucket, is also not a suitable option as tagging is used to categorize objects for management purposes and does not provide access control. Option C, using security groups, is not applicable to Amazon S3 as it is a network-level security feature that controls inbound and outbound traffic to and from Amazon EC2 instances. Option D, using network ACLs, is also not a suitable option for Amazon S3. Network ACLs are used to control traffic at the subnet level and do not provide access control to individual objects in an S3 bucket. Therefore, the correct answer is to use Amazon S3 bucket policies or access control lists (ACLs).

Selecting Option B but for restricting Access to objects in AWS S3 once should use Access Control Lists

Tag the objects in the S3 bucket.

B. Tag the objects in the S3 bucket. Explanation: To meet compliance obligations and restrict access to Amazon S3 objects, the tagging of objects is often used in conjunction with S3 bucket policies or IAM policies. By tagging objects, you can apply more granular access controls. For example, you can create policies that grant or deny access to objects based on their tags, which helps meet specific compliance or regulatory requirements. Why the other options are incorrect: A. Use AWS Secrets Manager: Secrets Manager is used for securely managing sensitive information like credentials or API keys, not for directly controlling access to S3 objects. C. Use security groups: Security groups are used to control access to instances and resources at the network level, such as EC2 instances, but they do not control access to S3 buckets and objects. D. Use network ACLs: Network ACLs are used to control inbound and outbound traffic at the subnet level, but they do not manage access to Amazon S3 buckets or objects.

B From AWS web-ste: "Object tags enable fine-grained access control for managing permissions. You can grant conditional permissions based on object tags." https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html

https://repost.aws/knowledge-center/secure-s3-resources https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html Set access control lists (ACLs) on your buckets and objects to restrict access

Access Control Lists (ACLs): S3 provides ACLs that allow you to grant specific permissions to individual AWS accounts or predefined groups.

With tags you will be able to set a specific user restrictions on object access

Because ACL restricts the access based on rules fed.

https://repost.aws/knowledge-center/secure-s3-resources

https://repost.aws/knowledge-center/secure-s3-resources

If it is "Amazon S3 ACLs" then yes (https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) . But D is "NETWORK" ACLs.. which is only for the VPC and not Amazon S3. So now, most suitable one would be Tags.

B. Tag the objects in the S3 bucket. "Object tags enable fine-grained access control of permissions. For example, you could grant a user permissions to read-only objects with specific tags." https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-tagging.html#:~:text=Object%20tags%20enable%20fine%2Dgrained%20access%20control%20of%20permissions.%20For%20example%2C%20you%20could%20grant%20a%20user%20permissions%20to%20read%2Donly%20objects%20with%20specific%20tags.

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html To restrict access to objects in Amazon S3 and meet compliance obligations, the user should use option B: Tag the objects in the S3 bucket. Tags in Amazon S3 are key-value pairs that can be assigned to objects. By using tags, the user can implement fine-grained access control policies based on object metadata. They can create IAM policies that grant or deny access to objects based on the tags assigned to them. By properly tagging the objects in the S3 bucket and configuring the corresponding IAM policies, the user can control access to the objects based on compliance requirements, ensuring that only authorized individuals or systems can access them. Definitely not D, `Network` ACLs cannot be used. (that`s the trick)

By tagging the objects in the S3 bucket, the user can assign metadata to the objects based on specific criteria or compliance requirements. Tags can be used to categorize and label objects, making it easier to manage access control and apply permissions based on those tags. With Amazon S3, access control can be achieved through various mechanisms, such as bucket policies, access control lists (ACLs), and IAM policies. By leveraging object tags, the user can define more granular access control policies using IAM policies and resource-based policies. For example, the user can create an IAM policy that allows read access to objects with a specific tag value (e.g., compliance=yes) and deny access to objects without that tag. This ensures that only authorized users or systems with the appropriate tag can access the objects.

Correct answer is D: https://repost.aws/knowledge-center/secure-s3-resources