Working with IAM and Bucket Policies

How’s your preparation going on for the AWS Security Specialty exam? To help you in your AWS Certified Security Specialty exam preparation, here we bring another topic “Working with IAM and Bucket Policies“. This topic addresses the “Identity and Access Management” domain as highlighted in the blueprint of the AWS Certified Security Specialty exam with 20% weight. 

For an AWS Security Specialist, it is important to understand the usage of IAM and Bucket policies. So, let’s make it easy for you to work with IAM and Bucket policies with the help of a scenario and it’s implementation.

Use Case Scenario

Let’s take the following use case scenario:

• There are 2 IAM users: Dave and Sally
• There are 2 S3 buckets defined in the account named as aws-bucket-demo-1 and aws-bucket-demo-2
• Both the IAM users are part of a group called bucketgroup
• What happens when IAM policy has already allowed the users to list the bucket content but Bucket policy has denied the same.

Implementation of the Above Scenarios to Understand IAM and Bucket Policies

Let us create an IAM policy as shown below and attach it to the Group named – bucketgroup

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::aws-bucket-demo-1”,
                  “arn:aws:s3:::aws-bucket-demo-2"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::aws-bucket-demo-1/*”,” arn:aws:s3:::aws-bucket-demo-2/*"
            ]
        }
    ]
}

Read More : Maximizing Cloud Security with AWS Identity and Access Management (IAM)

Below is the screenshot of the IAM policy attached to the Group:

So, if you log in as either Dave or Sally, you will have access to both the buckets.

But if you try to access any other bucket with either user, you will get an error as shown below:

Let us understand the different segments of the IAM policy:

Part 1 – The first part of the policy is to give access to the users the ability to have console access to S3.

Part 2 – The second part is to give permission to access to the buckets itself and the objects in the bucket.

Now let’s apply the following bucket policy to the bucket arn:aws:s3:::aws-bucket-demo-1. Let’s place a Deny policy for the Dave user.

Would Dave be granted access because of the effect of the IAM policy or would the bucket policy override this?

So, let’s try this out by adding the following bucket policy:

{
  "Id": "Policy1542998309644",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1542998308012",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::aws-bucket-demo-1",
      "Principal": {
        "AWS": [
          "arn:aws:iam::213171387512:user/Dave"
        ]
      }
    }
  ]
}

So now you will see that even though Dave has access to the S3 console and the ability to list buckets, the ability to list objects in the bucket is denied.

Here you must note that if there is an explicit Deny permission for the resource, even if an allow permission is present, the user will be denied permission for that resource.

Other Related Resources:

How to set right inbound and outbound rules for Security Groups and NACLs?

How to use a Central CloudTrail S3 Bucket for Multiple AWS Accounts?

How to Grant Access to AWS Resources to the Third Party via Roles & External Id?

Summary

• You can have both the IAM and bucket policies to govern the access to objects in a bucket.
• You can apply specific permissions to S3 buckets in IAM policies.
• If there is an explicit deny policy then the user will be denied to have access to the resource.

So, here we covered the working of IAM and bucket policies to help you in your AWS Certified Security Specialty exam preparation. Hope this article helped you understand the concepts of working with IAM and bucket policies. If you think that you’re done with your preparation, try AWS Certified Security Specialty practice tests and check your current level of preparation. Whizlabs practice tests series has been prepared by the team of subject matter experts and certified professionals.

Join us now and make yourself ready to become a certified Security specialist.

Need any other help with your AWS Certified Security Specialty exam preparation? Write in the comment below or reach us at Whizlabs Helpdesk, we’ll respond in no time!

• About the Author
• More from Author

About Pavan Gumaste

Pavan Rao is a programmer / Developer by Profession and Cloud Computing Professional by choice with in-depth knowledge in AWS, Azure, Google Cloud Platform. He helps the organisation figure out what to build, ensure successful delivery, and incorporate user learning to improve the strategy and product further.

• Top 20 Questions To Prepare For Certified Kubernetes Administrator Exam - August 16, 2024
• 10 AWS Services to Master for the AWS Developer Associate Exam - August 14, 2024
• Exam Tips for AWS Machine Learning Specialty Certification - August 7, 2024
• Best 15+ AWS Developer Associate hands-on labs in 2024 - July 24, 2024
• Containers vs Virtual Machines: Differences You Should Know - June 24, 2024
• Databricks Launched World’s Most Capable Large Language Model (LLM) - April 26, 2024
• What are the storage options available in Microsoft Azure? - March 14, 2024
• User’s Guide to Getting Started with Google Kubernetes Engine - March 1, 2024