AWS days 19

 AWS days 19 IAM Policies vs. S3 Bucket Policies.

Welcome to Day 20! We are now going to discuss one of the basic security principles that of how to provide a permission to S3. The two main types of policies provided by AWS are IAM Policies, and Bucket Policies and it is important to know when to apply what policy in order to have a secure environment.

---

The Question

An administrator needs to grant an existing IAM user specific permissions to read from a single, private S3 bucket. According to AWS best practices, what is the most direct way to grant these user-specific permissions?

---

The Correct Answer

The correct answer is (A) Attach an IAM Policy to the user.

---

Reasons It is Right: Identity vs. Resource Policies.

• The following question shows the fundamental disparity between the two primary categories of policies in AWS:
• Identity-Based Policies (IAM Policies): You bind these policies directly on an IAM identity (user, group or role). The policy statement provides the answer to the question: What can this identity do? This is the simplest and most obvious manner of dealing with permissions of your users and services.
• Resource-Based Policies (e.g., S3 Bucket Policies): These policies are policies assigned to a resource, such as an S3 bucket. The policy statement answers the following question: "Who is allowed to access this resource?
• In the case we are permitting a certain user, the easiest and the easiest to control is to attach a policy to the identity of the user.

An Analogy: Company ID Badge vs. the VIP List of a Door 🚪.

• Your company ID badge is an IAM Policy. The badge contains what you, as a person, should be allowed to do (e.g., "Access Floor 3," "Enter the Lab").
• One Bucket Policy resembles a VIP-list at a particular door. The door has a list, which reads, Only Alice and Bob can enter this room.
• They both can end with the same outcome, whilst in the context of permissions of a person, it is easier to renew their ID badge (the IAM Policy). Bucket policies are the most effective when cross-account access is required or access to AWS services.

Discusses the Analysis of the Incorrect Options.

(B) Add to the S3 Bucket Policy Adding a statement to the S3 Bucket Policy would work but it is not the most simple way to control the permissions of a single user. When you have hundreds of users it is more difficult to control and your bucket policy would be enormous.

(C) Adopt an S3 Access Control List (ACL): ACLs are an old access control system. They are applicable to basic grants (e.g. read/write permissions) though they are not advised in case of fine control. The contemporary and favorite approach is IAM and bucket policies.

This provides the user with temporary and time-limited access to one object, rather than persistent read rights to a bucket. It is not a means of sharing files, it is the means of sharing specific files with high level of security.

Primary Keywords

S3 Security
AWS Permissions
Resource-Based Policies
Identity-Based Policies
S3 Access Control

---

Principle of Least Privilege
S3 ACL (Access Control List)
Cross-Account Access
IAM User Permissions
AWS JSON Policy

---

"when to use iam policy vs bucket policy"
"difference between resource and identity based policies"
"how to grant s3 access to an iam user"
"s3 security best practices for permissions"
"example of an s3 bucket policy"