Question 10
Content Domain 4: Machine Learning Implementation and OperationsAn ML engineer wants to restrict access to training data stored in an Amazon S3 bucket by attaching a resource-based policy directly to the bucket. Which AWS mechanism is being used?
Correct answer: B
Explanation
An S3 bucket policy is a resource-based policy attached directly to an S3 bucket to control access to that bucket and its objects. — S3 bucket policies
Why each option is right or wrong
A. An IAM user policy attached to the engineer’s identity
IAM user policies are identity-based policies attached to users, not directly to S3 buckets.
B. An S3 bucket policy attached to the bucket resource
The scenario states that access is controlled by attaching a resource-based policy directly to the Amazon S3 bucket. That mechanism is an S3 bucket policy.
C. An Amazon EC2 instance profile assigned to the compute host
EC2 instance profiles provide credentials to instances and are not policies attached to S3 bucket resources.
D. An AWS Organizations service control policy on the account
Service control policies apply at the organization, OU, or account level, not directly to an individual S3 bucket.