S3 Security

User-Based Policies/Identity-based policies

  • They are attached to an IAM user, group, or role.

  • These policies let you specify what that identity can do (its permissions).

  • Identity-based policies can be managed or inline.

Resource-Based Policies

  • They are attached to a resource.

  • For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, and AWS Key Management Service encryption keys.

  • With resource-based policies, you can specify who has access to the resource and what actions they can perform on it.

  • Resource-based policies are inline only, not managed.

Bucket Policies

  • Bucket policies are used to grant permission to your Amazon S3 resources.

  • They use JSON-based access policy language.

  • In its most basic sense, a policy contains the following elements:

    • Resources

      • In a policy, you use the Amazon Resource Name (ARN) to identify the resource, such as buckets, objects, access points, and jobs.

    • Actions

      • You identify resource operations that you will allow (or deny) by using action keywords.

    • Effect

      • This can be either allow or deny.

    • Principal

      • This is the user, account, service, or other entity that is the recipient of this permission.

Block Public Access

  • The S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources.

  • By default, new buckets, access points, and objects don't allow public access.

    • However, users can modify bucket policies, access point policies, or object permissions to allow public access.

PreviousServer-Side EncryptionNextPre-signed URLs

Last updated