Which of the following statements about this S3 bucket policy is true?
A.
Denies the server with the IP address 192 168 100 0 full access to the “mybucket” bucket
B.
Denies the server with the IP address 192 168 100 188 full access to the “mybucket” bucket
C.
Grants all the servers within the 192 168 100 0/24 subnet full access to the “mybucket” bucket
D.
Grants all the servers within the 192 168 100 188/32 subnet full access to the “mybucket” bucket
Hi, please correct this question. Since it is not showing any policy….
Thanks,
Frank
0
0
The policy is as under:
{
“Id”: “IPAllowPolicy”
“Statement”:[
{
“Sid”: “IPAllow”,
“Action”: “s3”,
“Effect”: “Allow”,
“Resource”: “arn:aws:s3:::mybucket/*,
“Condition”: {
“IPAddress”: {
“aws:SourceIP”: “192.168.100.0/24”
},
“NotipAddress”: {
“aws:SourceIp”: “192.168.100.188/32
}
},
“Principal”: {
“AWS”: {
“*”
]
}
}
]
}
3
0
B or C appear to be correct.
0
0
I believe is c
0
0
The answer is B. the policy means: Grants all the servers within the 192 168 100 0/24 subnet (except 192.168.100.188) full access to the “mybucket” bucket
1
0
Hi fcg, I’m not sure if its c, as the policy has the condition “NotipAddress” 192.168.100.188 which is in the 192.168.100.0/24 subnet. I think the answer is B. Anyone else have comments?
0
0
I agree that its B, because 192.168.100.188 sits within 192 168 100 0/24 so, C is not correct
2
0
This is actually a little tricky, because if you don’t spend the time to completely read all the answers, it is easy to select “C”.
This answer would technically be right, EXCEPT that the 192 168 100 188 address is WITHIN THAT “ALL Servers” so it is NOT “ALL” servers, it is all servers EXCEPT 192 168 100 188.
So B is definitely the correct answer.
2
0
B is the correct answer
0
0
B
0
0
The answer is B. I entered the policy on live AWS bucket and tested it out. The “IPAddress”: { “aws:SourceIP”: “192.168.100.0/24” sections grants permission to the entire subnet but
the “NotipAddress”: {“aws:SourceIp”: “192.168.100.188/32} part denies that one IP address so B is correct.
0
0
To clarify, C is wrong because the IP address 192.168.100.188 is part of the subnet 192.168.100.0/24 and therefore there is one IP address inside the IP address range specified in B that is NOT granted access to S3 which means that the *whole* subnet is NOT granted access (because of that one IP address exclusion)
1
0
Picture doesn’t load
0
0
b
0
0
They are all incorrect.
The most close to the right one is B.
The policy grant permission to all net except .188.
This doesn’t mean that it denies the machine .188.
Deny the machine would need a deny policy. If you have another policy that also include .188 the machine would be allowed.
This is because the most restrictive policy is applied, but this policy doesn’t make restriction on the .188, it only ignore this policy.
So to summarize : For the exam is maybe correct B, for the logic, none of them is correct.
0
0
Ans should be B, Deny is always precedence over Allow in S3 access.
0
0
Answer is C
Because 192.168.100.188/32 is not a valid subnet (mask value not possible to go above 30)
0
1
B, explicit notipaddress 192.168.100.188 counters default allow of entire subnet, so *.188 will not have S3 access
0
0
B deny take priority over allow.
0
0
“Technically” only B is correct.
Even though a better answer would be Grants all to 192 168 100 0/24 subnet excluding 192 168 100 188
0
0