IAM Policy and S3 Policy
Question
If I have an IAM role that gives access to a bucket, does that bucket ALSO need a bucket policy to specify that the role has access? Can I just have one or the other?
Example:
I have an IAM role that says
{
"Action": [
"s3:Get*",
"s3:Put*",
"s3:DeleteObject",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::bucketname/*"
],
"Effect": "Allow"
}
The bucket has a policy attached but it doesn't include anything about the role with the above statement. There are no deny statements in the bucket policy. Should the role be able to access the files?
2 answers
solution1
1 2018-02-10 00:04:41
Typically, you do not need to provide an S3 bucket policy.
Whenever you make a request to S3, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.
The order of policy evaluation is:
- Is there an explicit Deny? Result is deny.
- Is there an explicit Allow? Result is allow.
- (implicit default) Result is deny.
solution2
1 2018-02-17 18:13:14
Here is an interesting article from AWS comparing IAM Policy vs Bucket Policy vs ACL
If you're more interested in “What can this user do in AWS?” then IAM policies are probably the way to go. You can easily answer this by looking up an IAM user and then examining their IAM policies to see what rights they have.
If you're more interested in “Who can access this S3 bucket?” then S3 bucket policies will likely suit you better. You can easily answer this by looking up a bucket and examining the bucket policy.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.