AWS Certified SysOps Administrator SOA-C01 – Question483

An IAM user has two conflicting policies as part of two separate groups. One policy allows him to access an S3 bucket, while another policy denies him the access. Can the user access that bucket?

A.
Yes, always
B. No
C. Yes, provided he accesses with the group which has S3 access
D. Yes, but just read only access of the bucket

Correct Answer: B

Explanation:

Explanation: When a request is made, the AWS IAM policy decides whether a given request should be allowed or denied. The evaluation logic follows these rules: By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.) An explicit allow policy overrides this default. An explicit deny policy overrides any allows. In this case since there is an explicit deny policy, it will over ride everything and the request will be denied. Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguag…