In this post, I make available my notes about S3 Security made from Adrian Cantrill’s course AWS Certified Solutions Architect – Associate (SAA-C02). The Q&A session below can be used to validate your knowledge or create Flashcards for study. Since this is a piece of knowledge in construction there may be mistakes, drop a comment for any suggestions.
A Bucket Policy is a type of Resource Policy you can attach to S3 Buckets. It is possible to attach only one Bucket Policy to S3 and it can have multiple statements for control permissions.
The main difference between an Identity Policy and a Resource Policy is that Identity Policy controls what an identity in your AWS Account can access, and the Resource Policy controls who can access the resource even identities from different accounts.
The Resource document policy has the field “Principal” that defines which principal is affected by the statement. This field is present only into resource policy and is what differs it from identity policy. You also can apply statements based on conditions like denying access to the bucket if a source IP does not match the criteria.
When an identity in your account tries to access a bucket the permission is a combination of all policies plus the bucket policy. When anonymous users access an S3 Bucket only the bucket policy is applied if the access is by an external identity, Identity policy and bucket policy need to allow access.
There is a legacy way of applying security to S3 Buckets called Access Control List (ACLs). AWS does not recommend using and you should Bucket Policy instead.
The Block Public Access feature on S3 Buckets acts as a barrier for blocking public access to the S3 bucket. It blocks access only for anonymous identities that tries to access the S3 bucket from the internet
There is some situation where is preferable to use Identity Policy or Resource Policy. If you want to allow or deny access to individual resources across accounts Identity Policy is recommended because there are services that do not support Resource Policy, does not make sense to have individual resource policies for each resource. To give access to everybody in account access to a resource or allow anonymous or cross-account access to an S3 Bucket the use of Resource Policy is preferable.
What is Bucket Policy?
A type of Resource Policy you can attach to S3.
How many Bucket Policy can you attach to S3?
Only one with multiple statements for control permissions.
What is the main difference between Identity Policy and Resource Policy?
Identity Policy controls WHAT identities can access and Resource Policies controls WHO can access resources
How can you identify a Resouce document policy?
It has a "Principal" field.
What the "Principal" field in the Resource document policy is for?
Defines which Principal is affected by the statement.
What policy is applied when anonymous users try to access an S3 Bucket?
Only the bucket policy
What policy is applied when an external identity tries to access an S3 bucket?
Identity policy and bucket policy are applied and need to allow access.
What is Access Control List (ACLs) and what you can use as an alternative?
A legacy way of applying security to S3 Bucket. Use Bucket policy instead.
When is preferable to use Identity Policy against Resource Policy?
Allow or deny access to individual resources across multiple accounts
When is preferable to use Resource Policy against Identity Policy?
Allow or deny access to everybody in the account or allow anonymous or cross-account access to S3 buckets.
What is Block Public Access of S3 Buckets for?
Acts as a barrier for blocking public access to S3 bucket of anonymous users.