Complete the code to specify the minimum permission needed to allow reading objects from an S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:[1]",
"Resource": "arn:aws:s3:::example-bucket/*"
}
]
}The GetObject action allows reading objects from an S3 bucket, which follows the least privilege principle by granting only read access.
Complete the code to restrict an IAM user to only start EC2 instances.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:[1]",
"Resource": "*"
}
]
}The StartInstances action allows the user to start EC2 instances only, following the least privilege principle.
Fix the error in the policy to allow only listing the contents of a specific S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:[1]",
"Resource": "arn:aws:s3:::my-bucket"
}
]
}The ListBucket action allows listing the contents of the bucket itself, which requires the bucket ARN without the trailing /*.
Fill both blanks to create a policy that allows reading objects only from a specific folder inside an S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:[1]",
"Resource": "arn:aws:s3:::example-bucket/[2]/*"
}
]
}The GetObject action allows reading objects, and specifying the folder 'logs' restricts access to that folder only.
Fill all three blanks to create a policy that allows an IAM user to start and stop EC2 instances only in a specific region.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["ec2:[1]", "ec2:[2]"],
"Resource": "arn:aws:ec2:[3]:*:instance/*"
}
]
}The actions StartInstances and StopInstances allow starting and stopping EC2 instances. Specifying the region us-west-2 restricts the policy to that region.