🔥 3-day streak
AWS Certified Security - Specialty63 / 157
Question 63 of 157
A company uses AWS Organizations with all features enabled. A developer's IAM user in a member account is attached to an identity-based policy that explicitly allows s3:GetObject on a specific bucket. The bucket's resource-based policy also allows the developer's principal to read objects. However, a Service Control Policy (SCP) attached to the developer's account contains an explicit Deny for all s3:* actions unless the request originates from a specific corporate IP range. The developer, working from home outside that range, receives an AccessDenied error. Which explanation correctly describes the policy evaluation outcome?
Reviewed for accuracy · Report an issueNext question