Bird
Raised Fist0
AWScloud~5 mins

Bucket policies for access control in AWS - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a bucket policy in AWS S3?
A bucket policy is a set of rules in JSON format that defines who can access an S3 bucket and what actions they can perform on it.
Click to reveal answer
intermediate
How does a bucket policy differ from IAM policies?
Bucket policies are attached directly to an S3 bucket to control access to that bucket, while IAM policies are attached to users, groups, or roles to control their permissions across AWS services.
Click to reveal answer
beginner
What is the effect of the "Effect": "Deny" statement in a bucket policy?
It explicitly blocks the specified actions for the defined users or conditions, overriding any allow permissions.
Click to reveal answer
intermediate
Can bucket policies restrict access based on IP address?
Yes, bucket policies can include conditions to allow or deny access based on the requester's IP address or IP range.
Click to reveal answer
beginner
What happens if no bucket policy is attached to an S3 bucket?
By default, the bucket is private, and only the bucket owner has access unless permissions are granted through other means like IAM policies or ACLs.
Click to reveal answer
What does a bucket policy primarily control?
AWho can access the bucket and what actions they can perform
BThe physical location of the bucket
CThe cost of storing data in the bucket
DThe encryption method used for objects
Which JSON element in a bucket policy specifies whether access is allowed or denied?
AAction
BResource
CEffect
DPrincipal
Can a bucket policy grant access to all users on the internet?
ANo, bucket policies cannot grant public access
BOnly if the user has an AWS account
COnly if the bucket is encrypted
DYes, by setting Principal to "*"
Which condition can be used in a bucket policy to restrict access by IP address?
A"IpAddress"
B"StringEquals"
C"Bool"
D"NumericLessThan"
If a bucket policy denies access to a user, what happens if an IAM policy allows it?
AAccess is allowed because IAM policies have priority
BAccess is denied because deny overrides allow
CAccess is allowed only during business hours
DAccess is denied only if MFA is not used
Explain how bucket policies control access to an S3 bucket.
Think about rules that say who can do what with the bucket.
You got /4 concepts.
    Describe the difference between a bucket policy and an IAM policy.
    Consider where each policy is applied and what it controls.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a bucket policy in AWS S3?
      easy
      A. To monitor the bucket usage statistics
      B. To store files inside the bucket
      C. To control who can access and perform actions on the bucket
      D. To backup the bucket data automatically

      Solution

      1. Step 1: Understand bucket policy role

        A bucket policy defines permissions for users or services to access the bucket.

      2. Step 2: Differentiate from other functions

        Storing files, monitoring, and backup are separate features, not controlled by bucket policies.

      3. Final Answer:

        To control who can access and perform actions on the bucket -> Option C

      4. Quick Check:

        Bucket policy = Access control [OK]
      Hint: Bucket policies manage access permissions only [OK]
      Common Mistakes:
      • Confusing bucket policy with storage function
      • Thinking bucket policy handles backups
      • Assuming bucket policy monitors usage
      2. Which of the following is the correct JSON key to specify who is allowed or denied access in a bucket policy?
      easy
      A. "Action"
      B. "Principal"
      C. "Resource"
      D. "Effect"

      Solution

      1. Step 1: Identify the key for user or service

        The "Principal" key specifies the user, account, service, or entity the policy applies to.

      2. Step 2: Differentiate from other keys

        "Action" defines allowed actions, "Resource" defines the bucket or objects, "Effect" states Allow or Deny.

      3. Final Answer:

        "Principal" -> Option B

      4. Quick Check:

        Who = Principal [OK]
      Hint: Principal means who gets access [OK]
      Common Mistakes:
      • Confusing "Action" with "Principal"
      • Using "Effect" to specify user
      • Mixing up "Resource" with user identity
      3. Given this bucket policy snippet, what does it allow?
      {
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::example-bucket/*"
}
      medium
      A. Allows anyone to upload files to the bucket
      B. Allows only the bucket owner to delete objects
      C. Denies all access to the bucket
      D. Allows anyone to read objects from the bucket

      Solution

      1. Step 1: Analyze the Effect and Principal

        Effect is "Allow" and Principal is "*" meaning everyone is allowed.

      2. Step 2: Check the Action and Resource

        Action is "s3:GetObject" which means read access to objects in the bucket "example-bucket".

      3. Final Answer:

        Allows anyone to read objects from the bucket -> Option D

      4. Quick Check:

        Allow + * + GetObject = public read [OK]
      Hint: Effect Allow + Principal * + GetObject = public read [OK]
      Common Mistakes:
      • Thinking GetObject allows uploads
      • Confusing Allow with Deny
      • Ignoring the wildcard * in Principal
      4. You wrote this bucket policy but users still cannot upload files:
      {
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::example-bucket"
}

      What is the problem?
      medium
      A. The Resource ARN is missing the /* to specify objects
      B. The Action s3:PutObject is invalid
      C. The Principal cannot be * for uploads
      D. Effect should be Deny to allow uploads

      Solution

      1. Step 1: Check the Resource ARN format

        To allow object uploads, Resource must include "/*" to specify objects inside the bucket.

      2. Step 2: Validate Action and Principal

        s3:PutObject is valid, Principal "*" is allowed, and Effect "Allow" is correct.

      3. Final Answer:

        The Resource ARN is missing the /* to specify objects -> Option A

      4. Quick Check:

        PutObject needs resource with /* [OK]
      Hint: Resource must end with /* for object actions [OK]
      Common Mistakes:
      • Using bucket ARN without /* for object actions
      • Thinking Principal * is disallowed
      • Confusing Allow and Deny effects
      5. You want to create a bucket policy that denies all users except a specific AWS account (ID: 123456789012) from deleting objects in your bucket named "secure-bucket". Which policy snippet correctly enforces this?
      hard
      A. { "Effect": "Deny", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "123456789012" } } }
      B. { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }
      C. { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }
      D. { "Effect": "Allow", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" }

      Solution

      1. Step 1: Understand the requirement

        We want to deny delete actions to everyone except the specified account.

      2. Step 2: Analyze each option

        { "Effect": "Deny", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": "123456789012" } } } denies delete to all principals except where the principal account equals 123456789012 using Condition StringNotEquals. This matches the requirement.
        { "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } allows only the specified account but does not deny others explicitly.
        { "Effect": "Deny", "Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } denies only the specified account, opposite of requirement.
        { "Effect": "Allow", "Principal": "*", "Action": "s3:DeleteObject", "Resource": "arn:aws:s3:::secure-bucket/*" } allows everyone, which is incorrect.

      3. Final Answer:

        Option A correctly denies delete to all except the specified account -> Option A

      4. Quick Check:

        Deny with Condition StringNotEquals excludes one account [OK]
      Hint: Use Deny with Condition StringNotEquals for exceptions [OK]
      Common Mistakes:
      • Using Allow without Deny for blocking others
      • Denying the allowed account by mistake
      • Not specifying Condition for exceptions