{"id":68479,"date":"2018-12-10T10:37:23","date_gmt":"2018-12-10T10:37:23","guid":{"rendered":"https:\/\/www.whizlabs.com\/blog\/?p=68479"},"modified":"2024-04-23T14:46:35","modified_gmt":"2024-04-23T09:16:35","slug":"iam-and-bucket-policies","status":"publish","type":"post","link":"https:\/\/www.whizlabs.com\/blog\/iam-and-bucket-policies\/","title":{"rendered":"Working with IAM and Bucket Policies"},"content":{"rendered":"<p style=\"text-align: justify;\">How&#8217;s your preparation going on for the AWS Security Specialty exam? To help you in your <a href=\"https:\/\/www.whizlabs.com\/blog\/prepare-aws-certified-security-specialty-exam\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Certified Security Specialty exam preparation<\/a>, here we bring another topic &#8220;<em>Working with IAM and Bucket Policies<\/em>&#8220;. This topic\u00a0<span style=\"font-weight: 400;\">addresses the &#8220;<em>Identity and Access Management<\/em>&#8221; domain as highlighted in the <a href=\"https:\/\/d1.awsstatic.com\/training-and-certification\/eligibilityupdates\/AWS%20Certified%20Security%20Specialty_Exam%20Guide_v1.6_FINAL.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">blueprint<\/a> of the AWS Certified Security Specialty exam with 20% weight.\u00a0<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">For an AWS Security Specialist, it is important to understand the usage of IAM and Bucket policies. So, let&#8217;s make it easy for you to work with IAM and Bucket policies with the help of a scenario and it&#8217;s implementation.<\/span><\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/aws-certified-security-specialty\/free-test\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"size-full wp-image-68502 aligncenter\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/Security-Specialtyg1-1.jpg\" alt=\"AWS Certified Security Specialty Free Test\" width=\"728\" height=\"90\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Security-Specialtyg1-1.jpg 728w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Security-Specialtyg1-1-300x37.jpg 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Security-Specialtyg1-1-640x79.jpg 640w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Security-Specialtyg1-1-681x84.jpg 681w\" sizes=\"(max-width: 728px) 100vw, 728px\" \/><\/a><\/p>\n<h2 style=\"text-align: justify;\">Use Case Scenario<\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Let\u2019s take the following use case scenario:<\/span><\/p>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">There are 2 IAM users: Dave and Sally<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">There are 2 S3 buckets defined in the account named as aws-bucket-demo-1 and aws-bucket-demo-2<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Both the IAM users are part of a group called bucketgroup<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">What happens when IAM policy has already allowed the users to list the bucket content but Bucket policy has denied the same.<\/span><\/li>\n<\/ul>\n<h2 style=\"text-align: justify;\">Implementation of the Above Scenarios to Understand IAM and Bucket Policies<\/h2>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Let us create an IAM policy as shown below and attach it to the Group named &#8211; bucketgroup<\/span><\/p>\n<pre style=\"text-align: justify;\"><span style=\"font-weight: 400;\">{<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\"Version\": \"2012-10-17\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\"Statement\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Effect\": \"Allow\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Action\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"s3:GetBucketLocation\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"s3:ListAllMyBuckets\"<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0],<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Resource\": \"*\"<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Effect\": \"Allow\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Action\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"s3:ListBucket\"<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0],<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Resource\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"arn:aws:s3:::aws-bucket-demo-1\u201d,<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u201carn:aws:s3:::aws-bucket-demo-2\"<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0},<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Effect\": \"Allow\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Action\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"s3:GetObject\"<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0],<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"Resource\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"arn:aws:s3:::aws-bucket-demo-1\/*\u201d,\u201d arn:aws:s3:::aws-bucket-demo-2\/*\"<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0]<\/span>\r\n<span style=\"font-weight: 400;\">}\r\n<\/span><\/pre>\n<blockquote><p>Read More : Maximizing Cloud Security with <a href=\"https:\/\/www.whizlabs.com\/blog\/aws-identity-and-access-management\/\" target=\"_blank\" rel=\"noopener\">AWS Identity and Access Management<\/a> (IAM)<\/p><\/blockquote>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Below is the screenshot of the IAM policy attached to the Group:<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-68493 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/iam-policy-attached-to-the-group.png\" alt=\"IAM policy attached to the Group\" width=\"670\" height=\"435\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/iam-policy-attached-to-the-group.png 670w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/iam-policy-attached-to-the-group-300x194.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/iam-policy-attached-to-the-group-647x420.png 647w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/iam-policy-attached-to-the-group-341x220.png 341w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/iam-policy-attached-to-the-group-640x416.png 640w\" sizes=\"(max-width: 670px) 100vw, 670px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">So, if you log in as either Dave or Sally, you will have access to both the buckets.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-68494 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/user-access-to-both-buckets.png\" alt=\"bucket access\" width=\"679\" height=\"190\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/user-access-to-both-buckets.png 679w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/user-access-to-both-buckets-300x84.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/user-access-to-both-buckets-640x179.png 640w\" sizes=\"(max-width: 679px) 100vw, 679px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">But if you try to access any other bucket with either user, you will get an error as shown below:<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-68489 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/access-denied-to-the-bucket.png\" alt=\"IAM Policies\" width=\"672\" height=\"392\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/access-denied-to-the-bucket.png 672w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/access-denied-to-the-bucket-300x175.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/access-denied-to-the-bucket-640x373.png 640w\" sizes=\"(max-width: 672px) 100vw, 672px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Let us understand the different segments of the IAM policy:<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><strong>Part 1 \u2013<\/strong> The first part of the policy is to give access to the users the ability to have console access to S3.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-68488 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/ability-to-have-console-access-to-s3.png\" alt=\"IAM and Bucket policies\" width=\"696\" height=\"198\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/ability-to-have-console-access-to-s3.png 696w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/ability-to-have-console-access-to-s3-300x85.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/ability-to-have-console-access-to-s3-640x182.png 640w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/ability-to-have-console-access-to-s3-681x194.png 681w\" sizes=\"(max-width: 696px) 100vw, 696px\" \/><\/p>\n<p style=\"text-align: justify;\"><strong>Part 2<\/strong><span style=\"font-weight: 400;\"><strong> \u2013<\/strong> The second part is to give permission to access to the buckets itself and the objects in the bucket.<\/span><\/p>\n<p><img decoding=\"async\" class=\"alignnone wp-image-68490 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/access-to-bucket-and-bucket-objects.png\" alt=\"Identity and Access Management\" width=\"599\" height=\"284\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/access-to-bucket-and-bucket-objects.png 599w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/access-to-bucket-and-bucket-objects-300x142.png 300w\" sizes=\"(max-width: 599px) 100vw, 599px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Now let\u2019s apply the following bucket policy to the bucket arn:aws:s3:::aws-bucket-demo-1. Let\u2019s place a <\/span><b>Deny<\/b><span style=\"font-weight: 400;\"> policy for the Dave user. <\/span><\/p>\n<p style=\"text-align: justify;\"><i><span style=\"font-weight: 400;\">Would Dave be granted access because of the effect of the IAM policy or would the bucket policy override this?<\/span><\/i><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">So, let\u2019s try this out by adding the following bucket policy:<\/span><\/p>\n<pre><span style=\"font-weight: 400;\">{<\/span>\r\n\u00a0 \"Id\": \"Policy1542998309644\",\r\n<span style=\"font-weight: 400;\">\u00a0 \"Version\": \"2012-10-17\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\"Statement\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0{<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\"Sid\": \"Stmt1542998308012\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\"Action\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"s3:ListBucket\"<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0],<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\"Effect\": \"Deny\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\"Resource\": \"arn:aws:s3:::aws-bucket-demo-1\",<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\"Principal\": {<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"AWS\": [<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\"arn:aws:iam::213171387512:user\/Dave\"<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0]<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0\u00a0\u00a0}<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0\u00a0\u00a0}<\/span>\r\n<span style=\"font-weight: 400;\"> \u00a0]<\/span>\r\n<span style=\"font-weight: 400;\">}<\/span><\/pre>\n<p><img decoding=\"async\" class=\"alignnone wp-image-68495 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/bucket-policy-editor-new.png\" alt=\"bucket policy editor\" width=\"675\" height=\"297\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/bucket-policy-editor-new.png 675w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/bucket-policy-editor-new-300x132.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/bucket-policy-editor-new-640x282.png 640w\" sizes=\"(max-width: 675px) 100vw, 675px\" \/><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">So now you will see that even though Dave has access to the S3 console and the ability to list buckets, the ability to list objects in the bucket is denied.<\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\"><img decoding=\"async\" class=\"alignnone wp-image-68487 size-full\" src=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/sites\/2\/2018\/12\/ability-to-list-bucket-objects-is-denied.png\" alt=\"Access denied for bucket objects\" width=\"667\" height=\"439\" srcset=\"https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/ability-to-list-bucket-objects-is-denied.png 667w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/ability-to-list-bucket-objects-is-denied-300x197.png 300w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/ability-to-list-bucket-objects-is-denied-638x420.png 638w, https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/ability-to-list-bucket-objects-is-denied-640x421.png 640w\" sizes=\"(max-width: 667px) 100vw, 667px\" \/><\/span><\/p>\n<p style=\"text-align: justify;\"><span style=\"font-weight: 400;\">Here you must note that if there is an <\/span><b>explicit<\/b> <b>Deny permission<\/b><span style=\"font-weight: 400;\"> for the resource, even if an allow permission is present, the user will be denied permission for that resource<\/span><span style=\"font-weight: 400;\">.<\/span><\/p>\n<blockquote><p><strong>Other Related Resources:<\/strong><\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/blog\/set-right-rules-for-security-groups-and-nacls\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to set right inbound and outbound rules for Security Groups and NACLs?<\/a><\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/blog\/using-central-cloudtrail-s3-bucket-for-multiple-aws-accounts\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to use a Central CloudTrail S3 Bucket for Multiple AWS Accounts?<\/a><\/p>\n<p><a href=\"https:\/\/www.whizlabs.com\/blog\/granting-access-to-aws-resources-to-third-party\/\" target=\"_blank\" rel=\"noopener noreferrer\">How to Grant Access to AWS Resources to the Third Party via Roles &amp; External Id?<\/a><\/p><\/blockquote>\n<h4 style=\"text-align: justify;\">Summary<\/h4>\n<ul style=\"text-align: justify;\">\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">You can have both the IAM and bucket policies to govern the access to objects in a bucket.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">You can apply <\/span><span style=\"font-weight: 400;\">specific\u00a0permissions<\/span><span style=\"font-weight: 400;\"> to S3 buckets in IAM policies.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">If there is an explicit deny policy then the user will be denied to have access to the resource.<\/span><\/li>\n<\/ul>\n<p style=\"text-align: justify;\">So, here we covered the working of IAM and bucket policies to help you in your <a href=\"https:\/\/www.whizlabs.com\/blog\/prepare-aws-certified-security-specialty-exam\/\" target=\"_blank\" rel=\"noopener noreferrer\">AWS Certified Security Specialty exam preparation<\/a>. Hope this article helped you understand the concepts of working with IAM and bucket policies. If you think that you&#8217;re done with your preparation, try\u00a0<a href=\"https:\/\/www.whizlabs.com\/aws-certified-security-specialty\/practice-test\/\" target=\"_blank\" rel=\"noopener follow noreferrer\" data-wpel-link=\"internal\">AWS Certified Security Specialty practice tests<\/a>\u00a0and check your current level of preparation. Whizlabs practice tests series has been prepared by the team of subject matter experts and certified professionals.<\/p>\n<p style=\"text-align: justify;\">Join us now and make yourself ready to become a certified Security specialist.<\/p>\n<p style=\"text-align: justify;\"><em>Need any other help with your AWS Certified Security Specialty exam preparation? Write in the comment below or reach us at\u00a0<a href=\"https:\/\/help.whizlabs.com\/hc\/en-us\/requests\/new\" target=\"_blank\" rel=\"noopener follow noreferrer\" data-wpel-link=\"internal\">Whizlabs Helpdesk<\/a>, we\u2019ll respond in no time!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How&#8217;s your preparation going on for the AWS Security Specialty exam? To help you in your AWS Certified Security Specialty exam preparation, here we bring another topic &#8220;Working with IAM and Bucket Policies&#8220;. This topic\u00a0addresses the &#8220;Identity and Access Management&#8221; domain as highlighted in the blueprint of the AWS Certified Security Specialty exam with 20% weight.\u00a0 For an AWS Security Specialist, it is important to understand the usage of IAM and Bucket policies. So, let&#8217;s make it easy for you to work with IAM and Bucket policies with the help of a scenario and it&#8217;s implementation. Use Case Scenario Let\u2019s [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":68498,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"default","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[4],"tags":[229,234,520,919,921,1644],"class_list":["post-68479","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aws-certifications","tag-aws-certified-security-speciality-exam","tag-aws-certified-security-specialty-exam-preparation","tag-bucket-policy","tag-iam-policy","tag-identity-and-access-management","tag-working-with-iam-and-bucket-policies"],"uagb_featured_image_src":{"full":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",600,315,false],"thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies-150x150.png",150,150,true],"medium":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies-300x158.png",300,158,true],"medium_large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",600,315,false],"large":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",600,315,false],"1536x1536":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",600,315,false],"2048x2048":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",600,315,false],"profile_24":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",24,13,false],"profile_48":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",48,25,false],"profile_96":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",96,50,false],"profile_150":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",150,79,false],"profile_300":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",300,158,false],"tptn_thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies-250x250.png",250,250,true],"web-stories-poster-portrait":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",600,315,false],"web-stories-publisher-logo":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",96,50,false],"web-stories-thumbnail":["https:\/\/www.whizlabs.com\/blog\/wp-content\/uploads\/2018\/12\/Working_with_IAM_and_Bucket_Policies.png",150,79,false]},"uagb_author_info":{"display_name":"Pavan Gumaste","author_link":"https:\/\/www.whizlabs.com\/blog\/author\/pavan\/"},"uagb_comment_info":6,"uagb_excerpt":"How&#8217;s your preparation going on for the AWS Security Specialty exam? To help you in your AWS Certified Security Specialty exam preparation, here we bring another topic &#8220;Working with IAM and Bucket Policies&#8220;. This topic\u00a0addresses the &#8220;Identity and Access Management&#8221; domain as highlighted in the blueprint of the AWS Certified Security Specialty exam with 20%&hellip;","_links":{"self":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/68479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/comments?post=68479"}],"version-history":[{"count":3,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/68479\/revisions"}],"predecessor-version":[{"id":94840,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/posts\/68479\/revisions\/94840"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media\/68498"}],"wp:attachment":[{"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/media?parent=68479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/categories?post=68479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whizlabs.com\/blog\/wp-json\/wp\/v2\/tags?post=68479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}