Which of the following statements about this S3 bucket policy is true?

A.
Denies the server with the IP address 192 168 100 0 full access to the “mybucket” bucket

B.
Denies the server with the IP address 192 168 100 188 full access to the “mybucket” bucket

C.
Grants all the servers within the 192 168 100 0/24 subnet full access to the “mybucket” bucket

D.
Grants all the servers within the 192 168 100 188/32 subnet full access to the “mybucket” bucket

Show Hint

← Previous question

Next question →

Leave a Reply 0

Frank

Hi, please correct this question. Since it is not showing any policy….
Thanks,
Frank

Khozi

The policy is as under:

{
“Id”: “IPAllowPolicy”
“Statement”:[
{
“Sid”: “IPAllow”,
“Action”: “s3”,
“Effect”: “Allow”,
“Resource”: “arn:aws:s3:::mybucket/*,
“Condition”: {
“IPAddress”: {
“aws:SourceIP”: “192.168.100.0/24”
},
“NotipAddress”: {
“aws:SourceIp”: “192.168.100.188/32
}
},
“Principal”: {
“AWS”: {
“*”
]
}
}
]
}

Seth

B or C appear to be correct.

fcg

I believe is c

The answer is B. the policy means: Grants all the servers within the 192 168 100 0/24 subnet (except 192.168.100.188) full access to the “mybucket” bucket

Tiger

Hi fcg, I’m not sure if its c, as the policy has the condition “NotipAddress” 192.168.100.188 which is in the 192.168.100.0/24 subnet. I think the answer is B. Anyone else have comments?

Kelvin Wong

I agree that its B, because 192.168.100.188 sits within 192 168 100 0/24 so, C is not correct

Mark

This is actually a little tricky, because if you don’t spend the time to completely read all the answers, it is easy to select “C”.

This answer would technically be right, EXCEPT that the 192 168 100 188 address is WITHIN THAT “ALL Servers” so it is NOT “ALL” servers, it is all servers EXCEPT 192 168 100 188.

So B is definitely the correct answer.

Mike

B is the correct answer

YENY

Gig

The answer is B. I entered the policy on live AWS bucket and tested it out. The “IPAddress”: { “aws:SourceIP”: “192.168.100.0/24” sections grants permission to the entire subnet but

the “NotipAddress”: {“aws:SourceIp”: “192.168.100.188/32} part denies that one IP address so B is correct.

Venkat Rangamani

To clarify, C is wrong because the IP address 192.168.100.188 is part of the subnet 192.168.100.0/24 and therefore there is one IP address inside the IP address range specified in B that is NOT granted access to S3 which means that the *whole* subnet is NOT granted access (because of that one IP address exclusion)

Eric

Picture doesn’t load

nyara

escube

They are all incorrect.
The most close to the right one is B.
The policy grant permission to all net except .188.
This doesn’t mean that it denies the machine .188.
Deny the machine would need a deny policy. If you have another policy that also include .188 the machine would be allowed.
This is because the most restrictive policy is applied, but this policy doesn’t make restriction on the .188, it only ignore this policy.
So to summarize : For the exam is maybe correct B, for the logic, none of them is correct.