Bird
Raised Fist0
AWScloud~5 mins

Bucket policies for access control in AWS - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Sometimes you want to control who can see or change files in your cloud storage bucket. Bucket policies let you set rules to allow or block access to your bucket and its files.
When you want to let only certain people or apps read files from your bucket.
When you want to block public access to your bucket to keep files private.
When you want to allow another AWS account to upload files to your bucket.
When you want to restrict access to files based on IP address or time of day.
When you want to log who accessed your bucket for security tracking.
Config File - bucket-policy.json
bucket-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::example-bucket/*"]
    }
  ]
}

This JSON file is a bucket policy that allows anyone to read objects inside the bucket named example-bucket. The Effect key sets the rule to allow access. Principal set to * means everyone. Action specifies the allowed action, here reading objects. Resource points to all files inside the bucket.

Commands
This command applies the bucket policy from the file to the bucket named example-bucket. It sets the access rules you defined.
Terminal
aws s3api put-bucket-policy --bucket example-bucket --policy file://bucket-policy.json
Expected OutputExpected
No output (command runs silently)
--bucket - Specifies the bucket name to apply the policy to
--policy - Specifies the JSON file containing the bucket policy
This command retrieves and shows the current bucket policy for example-bucket so you can verify it was set correctly.
Terminal
aws s3api get-bucket-policy --bucket example-bucket
Expected OutputExpected
{ "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::example-bucket/*\"]}]}" }
--bucket - Specifies the bucket name to get the policy from
This command lists the files in the bucket to check that you can access the bucket contents as allowed by the policy.
Terminal
aws s3 ls s3://example-bucket/
Expected OutputExpected
2024-06-01 10:00:00 1234 example-file.txt 2024-06-01 10:05:00 5678 another-file.jpg
Key Concept

If you remember nothing else from this pattern, remember: bucket policies are JSON rules that control who can do what with your cloud storage bucket and its files.

Common Mistakes
Using the wrong ARN format in the Resource field
The policy won't apply correctly if the resource ARN does not match the bucket or objects you want to control.
Always use the correct ARN format: arn:aws:s3:::bucket-name/* for all objects in the bucket.
Setting Principal to * when you want to restrict access
This allows everyone access, which can expose your data publicly.
Specify the exact AWS account or user ARN in Principal to limit access.
Not applying the policy after creating the JSON file
The bucket will keep its old permissions and your new rules won't take effect.
Run the aws s3api put-bucket-policy command to apply the policy.
Summary
Create a JSON bucket policy file defining who can access your bucket and what actions they can perform.
Use the AWS CLI command to apply the bucket policy to your bucket.
Verify the policy is set by retrieving it and testing access to the bucket contents.

Practice

(1/5)
1. What is the main purpose of a bucket policy in AWS S3?
easy
A. To monitor the bucket usage statistics
B. To store files inside the bucket
C. To control who can access and perform actions on the bucket
D. To backup the bucket data automatically

Solution

  1. Step 1: Understand bucket policy role

    A bucket policy defines permissions for users or services to access the bucket.

  2. Step 2: Differentiate from other functions

    Storing files, monitoring, and backup are separate features, not controlled by bucket policies.

  3. Final Answer:

    To control who can access and perform actions on the bucket -> Option C

  4. Quick Check:

    Bucket policy = Access control [OK]
Hint: Bucket policies manage access permissions only [OK]
Common Mistakes:
  • Confusing bucket policy with storage function
  • Thinking bucket policy handles backups
  • Assuming bucket policy monitors usage
2. Which of the following is the correct JSON key to specify who is allowed or denied access in a bucket policy?
easy
A. "Action"
B. "Principal"
C. "Resource"
D. "Effect"

Solution

  1. Step 1: Identify the key for user or service

    The "Principal" key specifies the user, account, service, or entity the policy applies to.

  2. Step 2: Differentiate from other keys

    "Action" defines allowed actions, "Resource" defines the bucket or objects, "Effect" states Allow or Deny.

  3. Final Answer:

    "Principal" -> Option B

  4. Quick Check:

    Who = Principal [OK]
Hint: Principal means who gets access [OK]
Common Mistakes:
  • Confusing "Action" with "Principal"
  • Using "Effect" to specify user
  • Mixing up "Resource" with user identity
3. Given this bucket policy snippet, what does it allow?
{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::example-bucket/*"
}
medium
A. Allows anyone to upload files to the bucket
B. Allows only the bucket owner to delete objects
C. Denies all access to the bucket
D. Allows anyone to read objects from the bucket

Solution

  1. Step 1: Analyze the Effect and Principal

    Effect is "Allow" and Principal is "*" meaning everyone is allowed.

  2. Step 2: Check the Action and Resource

    Action is "s3:GetObject" which means read access to objects in the bucket "example-bucket".

  3. Final Answer:

    Allows anyone to read objects from the bucket -> Option D

  4. Quick Check:

    Allow + * + GetObject = public read [OK]
Hint: Effect Allow + Principal * + GetObject = public read [OK]
Common Mistakes:
  • Thinking GetObject allows uploads
  • Confusing Allow with Deny
  • Ignoring the wildcard * in Principal
4. You wrote this bucket policy but users still cannot upload files:
{
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::example-bucket"
}

What is the problem?
medium
A. The Resource ARN is missing the /* to specify objects
B. The Action s3:PutObject is invalid
C. The Principal cannot be * for uploads
D. Effect should be Deny to allow uploads

Solution

  1. Step 1: Check the Resource ARN format

    To allow object uploads, Resource must include "/*" to specify objects inside the bucket.

  2. Step 2: Validate Action and Principal

    s3:PutObject is valid, Principal "*" is allowed, and Effect "Allow" is correct.

  3. Final Answer:

    The Resource ARN is missing the /* to specify objects -> Option A

  4. Quick Check:

    PutObject needs resource with /* [OK]
Hint: Resource must end with /* for object actions [OK]
Common Mistakes:
  • Using bucket ARN without /* for object actions
  • Thinking Principal * is disallowed
  • Confusing Allow and Deny effects
5. You want to create a bucket policy that denies all users except a specific AWS account (ID: 123456789012) from deleting objects in your bucket named "secure-bucket". Which policy snippet correctly enforces this?
hard
A. { "Effect": "Deny", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "123456789012" } } }
B. { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }
C. { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }
D. { "Effect": "Allow", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }

Solution

  1. Step 1: Understand the requirement

    We want to deny delete actions to everyone except the specified account.

  2. Step 2: Analyze each option

    { "Effect": "Deny", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "123456789012" } } } denies delete to all principals except where the principal account equals 123456789012 using Condition StringNotEquals. This matches the requirement.
    { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } allows only the specified account but does not deny others explicitly.
    { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } denies only the specified account, opposite of requirement.
    { "Effect": "Allow", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } allows everyone, which is incorrect.

  3. Final Answer:

    Option A correctly denies delete to all except the specified account -> Option A

  4. Quick Check:

    Deny with Condition StringNotEquals excludes one account [OK]
Hint: Use Deny with Condition StringNotEquals for exceptions [OK]
Common Mistakes:
  • Using Allow without Deny for blocking others
  • Denying the allowed account by mistake
  • Not specifying Condition for exceptions