S3 Security

User-Based Policies/Identity-based policies

• They are attached to an IAM user, group, or role.

• These policies let you specify what that identity can do (its permissions).

• Identity-based policies can be managed or inline.

Resource-Based Policies

• They are attached to a resource.

• For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, and AWS Key Management Service encryption keys.

• With resource-based policies, you can specify who has access to the resource and what actions they can perform on it.

• Resource-based policies are inline only, not managed.

Bucket Policies

• Bucket policies are used to grant permission to your Amazon S3 resources.

• They use JSON-based access policy language.

• In its most basic sense, a policy contains the following elements:

  • Resources

    • In a policy, you use the Amazon Resource Name (ARN) to identify the resource, such as buckets, objects, access points, and jobs.

  • Actions

    • You identify resource operations that you will allow (or deny) by using action keywords.

  • Effect

    • This can be either allow or deny.

  • Principal

    • This is the user, account, service, or other entity that is the recipient of this permission.

Block Public Access

• The S3 Block Public Access feature provides settings for access points, buckets, and accounts to help you manage public access to Amazon S3 resources.

• By default, new buckets, access points, and objects don't allow public access.

  • However, users can modify bucket policies, access point policies, or object permissions to allow public access.