Please enable JavaScript.
Coggle requires JavaScript to display documents.
12.129: Bucket policy - Coggle Diagram
12.129:
Bucket policy
Security
User based
IAM Policies: which API calls should be allowed for a specific user from IAM
Resource based
Bucket Policies: bucket wide rules from S3 console, allow cross account
Bucket Access Control List (ACL)-less common - can be disable
Object Access Control List (ACL)-finer grain - can be disable
Note: IAM principal can access S3 object if
User IAM permissions ALLOW it OR resource policy ALLOW it
AND there is no explicit DENY
Encryption
Encrypt objects in AMZ S3 using encrypt keys
Bucket policy
JSON base policy
Resource: buckets and objects
Effect: Allow/Deny
Actions: set of API to Deny/Allow
Principal: account or user to apply
Purpose
Grant public access to bucket
Force object encrypted when upload
Grant access to another account (cross account)