Databases Reference
In-Depth Information
11.3.3
Bucket policies
Bucket policies are the most flexible method of security control, because they can
grant as well as deny access to some or all objects within a specified bucket at both
account and user levels.
Though you can use bucket policies in conjunction with
IAM
policies, bucket poli-
cies can be used on their own and achieve the same result. For example, figure 11.10
demonstrates how two users (Ann and Dan) have been granted authority to put
objects into a bucket called
bucket_kma
.
Perhaps you're wondering when to use a bucket policy versus an
ACL
. The answer
is that it depends on what you're trying to accomplish. Access-control lists provide a
coarse-grained approach to granting access to your buckets/objects. Bucket policies
have a finer-grained approach. There are times when using both bucket policies and
ACL
s make sense, such as
You want to grant a wide variety of permissions to objects but you only have a
bucket policy.
Your bucket policy is greater than 20
KB
in size. The maximum size for a bucket
policy is 20
KB
. If you have a large number of objects and users, you can grant
additional permissions using an
ACL
.
There are a few things to keep in mind when combining bucket policies and
ACL
s:
If you use
ACL
s with bucket policies,
S3
will use both to determine whether the
account has permissions to access an object.
If an account has access to an object through an
ACL
, it'll be able to access the
requested bucket/object.
...bucket policy
Allow Who
Ann
Dan
IAM policy...
Figure 11.10
You can
use a bucket policy to
grant users access to your
AWS S3 objects without
using IAM policies. On the
left, the IAM policy allows
the
PutObject
action for
bucket_kma
in an AWS
account, and then gives
the users Ann and Dan
permission to access that
account/action. On the
right, the bucket policy is
attached to
bucket_kma
and like the IAM gives Ann
and Dan permission to
access
PutObject
on
the bucket.
Allow
Actions:
PutObject
Actions:
PutObject
...is the same as...
Resource
Aws:s3:::bucket_kma/*
Resource
Aws:s3:::bucket_kma/*
Ann
Dan