🔥 3-day streak
AWS Certified Security - Specialty60 / 157
Question 60 of 157

A security engineer manages an S3 bucket that stores audit logs shared across an organization. The bucket resource-based policy must deny all access to the bucket EXCEPT for a specific cross-account IAM role (arn:aws:iam::222222222222:role/AuditReader) and the local account root. The engineer wants the deny to apply to every other principal, including future ones, without having to enumerate them. Which policy construct correctly implements this?

Reviewed for accuracy · Report an issueNext question