Question 23
Domain 4: Identity and Access ManagementAn IAM engineer is reviewing an AWS resource-based policy that allows access only when requests come from a specific AWS account and only for certain API calls against one S3 bucket. Which policy components identify who can access the resource, what operation can be performed, and which object is being accessed?
Correct answer: A
Explanation
In an AWS policy, Principal identifies who is making the request, Action identifies what operation is allowed or denied, and Resource identifies the AWS resource affected. Condition adds extra constraints but does not replace those core roles. — AWS Certified Security Specialty Exam Guide - Domain 4, Task 4.2: Components and impact of a policy (Principal, Action, Resource, Condition)
Why each option is right or wrong
A. Principal, Action, and Resource
The exam guide identifies Principal, Action, Resource, and Condition as policy components. In this scenario, the specific AWS account is the Principal, the certain API calls are the Action, and the S3 bucket being accessed is the Resource.
B. Condition, Action, and Principal
Condition adds qualifying constraints to a request; it does not name the target resource.
C. Resource, Condition, and Action
Resource identifies the target, but Condition does not identify who is making the request.
D. Action, Resource, and Condition
Action and Resource are policy elements, but Principal identifies the requester rather than Condition.