Question 31
Domain 5: Data ProtectionA security engineer needs to create an Amazon S3 bucket policy to grant least privilege read access to IAM user accounts that are named User1, User2 and User3. These IAM user accounts are members of the AuthorizedPeople IAM group. The security engineer drafts the following S3 bucket policy. When the security engineer tries to add the policy to the S3 bucket, the following message appears: `Missing required field Principal.` The security engineer is adding a Principal element to the policy. The addition must provide read access to only User1, User2 and User3. Which solution meets these requirements?
Correct answer: A
Explanation
S3 bucket policies require a "Principal" element to identify who is allowed access, and least privilege means naming only the specific IAM users who need it. Adding the three user ARNs for User1, User2, and User3 grants read access only to those identities, rather than the broader AuthorizedPeople group.
Why each option is right or wrong
A. Option A.
Under the Amazon S3 bucket policy syntax, the `Principal` element is mandatory in a resource-based policy and must identify the exact AWS identities allowed by the statement; for IAM users, that means their user ARNs, not the IAM group ARN. Because IAM groups cannot be used as a `Principal` in a bucket policy, the policy must name only the three user ARNs for User1, User2, and User3 to satisfy least privilege and avoid granting access to any other members or future additions to the group.
B. Option B.
IAM groups are not valid Principals in S3 bucket policies; groups grant permissions indirectly through identity policies.
C. Option C.
Granting access to a broader account, role, or wildcard exceeds least privilege for only three named users.
D. Option D.
Conditions based on group membership do not replace the required Principal element in a bucket policy.