Amazon S3 Access Control - IAM Policies vs Bucket Policies

Your S3 bucket is locked down and now you want your team to get access. In this video, we solve that by writing IAM policies and bucket policies, granting precise access without disabling any of the security defaults we set up in Part 1.

We build three access patterns on a single S3 bucket: a write-only backup writer that can upload but can't read or delete, a read-only analyst that can browse and download but can't modify anything, and an IP-restriction bucket policy that blocks all access from outside the corporate network. Along the way, we go over the anatomy of a policy (Version, Statement, Sid, Effect, Action, Resource, Principal), the two-resource gotcha between bucket ARNs and object ARNs that would likely cause some access issues, and the policy evaluation rule that governs all of AWS security: explicit deny always wins.

This is Part 2 of the AWS S3 series. In Part 1, we covered the security defaults in the S3 bucket creation wizard including Block Public Access, ACLs, encryption, and presigned URLs.

References:
- AWS IAM Policies for S3: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_id-based-policy-examples.html
- AWS Bucket Policy Examples: https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
- AWS Policy Evaluation Logic: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html
- Amazon S3 Documentation: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html

Видео Amazon S3 Access Control - IAM Policies vs Bucket Policies канала Peter's Tech Toolbox