AWScloud~30 mins

Bucket policies for access control in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Bucket policies for access control

📖 Scenario: You are managing a cloud storage bucket where you want to control who can access the files. You will create a bucket policy that allows only specific users to read files from the bucket.

🎯 Goal: Build an AWS S3 bucket policy that grants read-only access to a specific user and denies access to everyone else.

📋 What You'll Learn

Create a bucket policy JSON structure

Add a statement that allows read access to a specific AWS user ARN

Add a statement that denies all other users access

Use correct JSON syntax for AWS bucket policies

💡 Why This Matters

🌍 Real World

Bucket policies control who can access files in cloud storage, protecting data and managing permissions.

💼 Career

Understanding bucket policies is essential for cloud administrators and developers managing secure cloud storage.

Progress0 / 4 steps

Create the basic bucket policy structure

Create a variable called bucket_policy and assign it a dictionary with the key Version set to "2012-10-17" and an empty list for the key Statement.

AWS

bucket_policy = {
    "Version": "2012-10-17",
    "Statement": []
}
# Your code here

Need a hint?

The bucket policy must start with a Version and an empty Statement list.

Add an allow statement for a specific user

Add a dictionary to bucket_policy["Statement"] that allows "s3:GetObject" action for the resource "arn:aws:s3:::example-bucket/*" and the principal with the AWS user ARN "arn:aws:iam::123456789012:user/Alice". Use Effect set to "Allow".

AWS

bucket_policy = {
    "Version": "2012-10-17",
    "Statement": []
}
# Add allow statement for user Alice here

Need a hint?

The allow statement must specify the action, resource, principal, and effect.

Add a deny statement for all other users

Add another dictionary to bucket_policy["Statement"] that denies "s3:GetObject" action for the resource "arn:aws:s3:::example-bucket/*" to the principal "*" (everyone). Use Effect set to "Deny".

AWS

bucket_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::123456789012:user/Alice"},
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}
# Add deny statement for all other users here

Need a hint?

The deny statement blocks everyone except the allowed user.

Convert the bucket policy to a JSON string

Import the json module and create a variable called bucket_policy_json that contains the JSON string of bucket_policy using json.dumps() with indentation of 2 spaces.

AWS

bucket_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::123456789012:user/Alice"},
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-bucket/*"
        },
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-bucket/*"
        }
    ]
}
# Import json and convert bucket_policy to JSON string with indent=2

Need a hint?

Use the json module to convert the dictionary to a JSON string for AWS.