AWS Certified DevOps Engineer - Professional | Fixing Accidentally Removed S3 Bucket Policy

Fixing Accidentally Removed S3 Bucket Policy

Prev Question Next Question

Question

Your team uses an S3 bucket called artifacts-bucket to store important files generated from pipelines.

An intern accidentally removed the bucket policy and added the following bucket policy:

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: B.

Option A is incorrect because this bucket policy explicitly denies any S3 actions if the user is not UserID_A.

If the user is not root or UserID_A, it cannot modify the S3 bucket policy through AWS CLI.

Option B is CORRECT because the root user can always modify the S3 bucket policy even if the policy denies the root user to perform the action.

This is a security precaution.

Option C is incorrect because with this bucket policy, only root or UserID_A can delete the S3 bucket policy through AWS console or CLI.

Option D is incorrect because the root user can restore the S3 bucket policy.

There is no need to engage AWS support.

Normally, AWS support has read-only access and does not modify customer resources directly.

Reference:

https://aws.amazon.com/premiumsupport/knowledge-center/s3-accidentally-denied-access/, https://docs.aws.amazon.com/cli/latest/reference/s3api/put-bucket-policy.html

In this scenario, an intern has accidentally removed the bucket policy of an S3 bucket called artifacts-bucket, and added an incorrect bucket policy. The task is to restore the previous bucket policy.

Option A suggests using an IAM user of the bucket's AWS account to execute the AWS CLI "aws s3api put-bucket-policy" command to restore the previous bucket policy. This option is feasible since AWS CLI allows IAM users to manage AWS resources from the command line. The command would look like this:

css
aws s3api put-bucket-policy --bucket artifacts-bucket --policy file://previous-bucket-policy.json

Here, previous-bucket-policy.json refers to the JSON file containing the previous bucket policy.

Option B suggests signing in to the Amazon S3 console as the AWS account root user, deleting the incorrect bucket policy, and adding the previous bucket policy that worked correctly. This option is also feasible, but it requires the AWS account root user's credentials. Additionally, it is not recommended to use the root user credentials for routine tasks, as it increases the risk of accidental changes or security breaches.

Option C suggests that any IAM user of the AWS account can use the AWS console to delete the S3 bucket policy, even if the policy explicitly denies the user the ability to perform this action. This statement is incorrect. If a bucket policy explicitly denies a user the ability to perform an action, then the user cannot perform that action, regardless of their permissions or roles.

Option D suggests that this bucket policy cannot be restored by any IAM user of the account and requires contacting AWS support to recover the S3 bucket policy. This statement is also incorrect. IAM users with the necessary permissions can restore the previous bucket policy using the AWS CLI or the Amazon S3 console.

Therefore, the correct answer is Option A: Use an IAM user of the bucket's AWS account to execute the AWS CLI "aws s3api put-bucket-policy" command to restore the bucket policy to the previous one.