Blog Amazon Web Services Working with IAM and Bucket Policies
IAM and Bucket Policies

Working with IAM and Bucket Policies

How’s your preparation going on for the AWS Security Specialty exam? To help you in your AWS Certified Security Specialty exam preparation, here we bring another topic “Working with IAM and Bucket Policies“. This topic addresses the “Identity and Access Management” domain as highlighted in the blueprint of the AWS Certified Security Specialty exam with 20% weight. 

For an AWS Security Specialist, it is important to understand the usage of IAM and Bucket policies. So, let’s make it easy for you to work with IAM and Bucket policies with the help of a scenario and it’s implementation.

AWS Certified Security Specialty Free Test

Use Case Scenario

Let’s take the following use case scenario:

  • There are 2 IAM users: Dave and Sally
  • There are 2 S3 buckets defined in the account named as aws-bucket-demo-1 and aws-bucket-demo-2
  • Both the IAM users are part of a group called bucketgroup
  • What happens when IAM policy has already allowed the users to list the bucket content but Bucket policy has denied the same.

Implementation of the Above Scenarios to Understand IAM and Bucket Policies

Let us create an IAM policy as shown below and attach it to the Group named – bucketgroup

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aws-bucket-demo-1”,
                  “arn:aws:s3:::aws-bucket-demo-2"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::aws-bucket-demo-1/*”,” arn:aws:s3:::aws-bucket-demo-2/*"
            ]
        }
    ]
}

Below is the screenshot of the IAM policy attached to the Group:

IAM policy attached to the Group

So, if you log in as either Dave or Sally, you will have access to both the buckets.

bucket access

But if you try to access any other bucket with either user, you will get an error as shown below:

IAM Policies

Let us understand the different segments of the IAM policy:

Part 1 – The first part of the policy is to give access to the users the ability to have console access to S3.

IAM and Bucket policies

Part 2 The second part is to give permission to access to the buckets itself and the objects in the bucket.

Identity and Access Management

Now let’s apply the following bucket policy to the bucket arn:aws:s3:::aws-bucket-demo-1. Let’s place a Deny policy for the Dave user.

Would Dave be granted access because of the effect of the IAM policy or would the bucket policy override this?

So, let’s try this out by adding the following bucket policy:

{
  "Id": "Policy1542998309644",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1542998308012",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::aws-bucket-demo-1",
      "Principal": {
        "AWS": [
          "arn:aws:iam::213171387512:user/Dave"
        ]
      }
    }
  ]
}

bucket policy editor

So now you will see that even though Dave has access to the S3 console and the ability to list buckets, the ability to list objects in the bucket is denied.

Access denied for bucket objects

Here you must note that if there is an explicit Deny permission for the resource, even if an allow permission is present, the user will be denied permission for that resource.

Other Related Resources:

How to set right inbound and outbound rules for Security Groups and NACLs?

How to use a Central CloudTrail S3 Bucket for Multiple AWS Accounts?

How to Grant Access to AWS Resources to the Third Party via Roles & External Id?

Summary

  • You can have both the IAM and bucket policies to govern the access to objects in a bucket.
  • You can apply specific permissions to S3 buckets in IAM policies.
  • If there is an explicit deny policy then the user will be denied to have access to the resource.

So, here we covered the working of IAM and bucket policies to help you in your AWS Certified Security Specialty exam preparation. Hope this article helped you understand the concepts of working with IAM and bucket policies. If you think that you’re done with your preparation, try AWS Certified Security Specialty practice tests and check your current level of preparation. Whizlabs practice tests series has been prepared by the team of subject matter experts and certified professionals.

Join us now and make yourself ready to become a certified Security specialist.

Need any other help with your AWS Certified Security Specialty exam preparation? Write in the comment below or reach us at Whizlabs Helpdesk, we’ll respond in no time!

About Neeru Jain

Technology Scientist by Mind and Passionate Writer by Heart!! With an enthusiasm for technological research and learning, Neeru turned out to be a technology expert. Her Belief: “Words are powerful enough to change Mind, Life, and the World; only the writer should have a real passion for Writing!!”
Spread the love

LEAVE A REPLY

Please enter your comment!
Please enter your name here