Which set of additional steps must the DevOps engineer take to meet the company’s requirements?

By:
In: DOP-C01
Tagged:
With: 1 Comment
A DevOps engineer is developing an application for a company.The application needs to persist files to Amazon S3.The application needs to upload files with different security classifications that the company defines.These classifications include confidential, private, and public.Files that have a confidential classification must not be viewable by anyone other than the user who uploaded them.The application uses the IAM role of the user to call the S3 API operations.The DevOps engineer has modified the application to add a DataClassification tag with the value of confidential and an Owner tag with the uploading user’s ID to each confidential object that is uploaded to Amazon S3.

Which set of additional steps must the DevOps engineer take to meet the company’s requirements?

Modify the S3 bucket’s ACL to grant bucket-owner-read access to the uploading user’s IAM role. Create an IAM policy that grants s3:GetObject operations on the S3 bucket when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Attach the policy to the IAM roles for users who require access to the S3 bucket.

Modify the S3 bucket policy to allow the s3:GetObject action when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.

Modify the S3 bucket policy to allow the s3:GetObject action when aws:ResourceTag/DataClassification equals confidential, and aws:RequesttTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.

Modify the S3 bucket’s ACL to grant authenticated-read access when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.

Explanations:

The bucket’s ACL modification grants unnecessary permissions (bucket-owner-read) and the policy is incorrectly formulated for handling object-level access control. IAM policy should rely on object-level permissions based on tags, but ACL is not needed in this case.

The S3 bucket policy is correctly configured to enforce access based on object tags (DataClassification = confidential and Owner = user), and the IAM policy grants necessary permissions for accessing the objects with appropriate tag-based conditions.

The policy uses “aws/Owner” instead of “s3/Owner.” This is incorrect because “aws” is for request tags, not object tags, leading to improper access control.

Modifying the S3 bucket’s ACL to grant “authenticated-read” is not necessary for fine-grained access control based on object tags. IAM policy alone can handle the required access control effectively.

2025-10-03

1 Comment

  1. Jessica
    Author

    I surmise that the answer is:
    Modify the S3 bucket policy to allow the s3:GetObject action when aws:ResourceTag/DataClassification equals confidential, and s3:ExistingObjectTag/Owner equals ${aws:userid}. Create an IAM policy that grants s3:GetObject operations on the S3 bucket. Attach the policy to the IAM roles for users who require access to the S3 bucket.

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − eleven =