🔥 3-day streak
AWS Certified Security - Specialty65 / 157
Question 65 of 157
A company has an S3 bucket in Account A (the resource owner). A role in Account B needs to read objects from this bucket. The security team configures the following: the bucket policy in Account A grants s3:GetObject to the Account B role's ARN; the role in Account B has an identity-based policy allowing s3:GetObject on the bucket; and Account B is in an AWS Organization with an SCP that denies all s3:* actions except s3:ListBucket. When the role in Account B attempts to download an object, the request is denied. What is the cause?
Reviewed for accuracy · Report an issueNext question