🔥 3-day streak
AWS Certified Security - Specialty79 / 184
Question 79 of 184
A developer in a member account of an AWS Organization has an identity-based IAM policy that explicitly allows s3:GetObject on a specific bucket. The bucket's resource-based policy also allows the developer's role to read objects. However, a Service Control Policy (SCP) attached to the account's parent OU contains an explicit Deny for all S3 actions unless the request originates from a specific corporate IP range, using a Condition with aws:SourceIp. The developer attempts to download an object from a home network IP that is outside the corporate range. What is the result of this access attempt?
Reviewed for accuracy · Report an issueNext question