Table of contents
Hello there, moving on with out AWS SAA series, let's look at the security part of the S3 service.
The S3 service is private by default.The only identity that has any initial access to an S3 bucket is the account root user of the account which owns that bucket.
Any other identity has to be granted permission on that bucket explicitly
The first way of doing that is using an S3 bucket policy
An S3 bucket policy is a resource policy.
A resource policy is like an identity policy. But is attached to resources instead of identities.
– Provides a resource perspective on permissions
The difference b/w identity policy and resource policy
Identity policy determines what the identity can access.
Resource policy determines who can access that resource?
Identity policies can be attached to identities in one’s own account, can only control security in one’s own acct. No way of giving an identity in another account access to an S3 bucket
Different Uses of Bucket (Resource) Policies
Resource policies can allow identities from same or different account access over S3 buckets because the policy is attached to the resource and it can reference any other identities from same/different account
Another benefit: Can allow/deny anonymous principals(ones that are not auth. by AWS)
They can be used to block specific IP Addresses from accessing objects
In a bucket policy statement, there is a principal component. This is a way to differentiate an identity policy from a resource policy
Bucket policies can be used to allow or deny access from specific ip addresses
Bucket policy can be used to block access to a specific folder or prefix inside an S3 Bucket
ACLs
ACLs can be used to control access to subresources.
They are a legacy way of providing access. It is not recommended by AWS.
They have simple and inflexible permissions
It cannot be applied on a bunch of objects
Some important pointers – When to use identity policy versus bucket policy (resource policy)
Use identity policies if you want to provide access to multiple resources
If you want to control access from a single place like IAM, use identity policy
Use Resource policy - If you want to control access for a single product like S3
Use bucket(i.e resource) policy if you want to grant anonymous or cross-account access