Ref: https://learn.cantrill.io/courses/1820301/lectures/41301469

• Summary
• Contents:

Providing Access to S3

• ❗ Although S3 is a public service when it comes to NWing, S3 is private by default when it comes to security!
  • Public endpoints reachable via the internet
  • Buckets & objects unreachable/protected by default
• S3 Security Settings
  • S3 bucket policies → resource policies, attached to a bucket
  • Access Control Lists (ACLs) → legacy
  • Block Public Access Settings → failsafe
  • 💡 Reminder: IAM identity policies → attached to IAM identities
    • Can allow/deny access to S3
• Final permissions, as usual, will be the overlap of all applicable policies and settings

S3 Bucket Policies

Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0700-SIMPLE_STORAGE_SERVICE(S3)/00_LEARNINGAIDS/S3Security-1.png

• 🔧 Resource policy attached to an S3 bucket
  • Reference Principal(s), allows/denies their access to S3
• 👎 Big limitation of identity policies: can only be attached to valid identities in your account
• 👍 In contrast, resource policies are very flexible, they can**:**
  • Allow/deny identities cross-account, or even all identities in other AWS accounts
  • Allow/deny anonymous or unauthenticated Principals! → Public Access
  • Block ranges of IP addresses
  • Block users that haven't enabled MFA
  • …
• "Principal" component in statement → indicates to what Principal(s) the policy applies
  • e.g. "Principal":"*" = anonymous principal
  • Not present in identity policies (Principal in identity policies is obviously the identity the policy is attached to)
• Examples of bucket policies: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

Choosing Between Identity or Resource Policy

• Choose identity policy if:
  • You must configure permissions of an identity for different services and resources
  • No support for resource policy (some AWS resources can't have policies)
  • You have a preference for IAM
  • Service(s) only used within the same account
• Choose resource policy if:
  • You just want to control/configure permissions for the service (e.g. S3)
  • Anonymous or cross-account permissions are needed
• 💡 Sometimes it's a preference or what makes sense for the business. Sometimes you will combine both identity and resource policies.