S3 and S3 Glacier Security Policies

Learn about policies in S3 and S3 Glacier.

We'll cover the following

S3 policies
- S3 bucket policy examples
  - Giving S3 access to other accounts
  - Enforce uploads of only encrypted objects
S3 Glacier vault policies
S3 Glacier practical

S3 policies

We can use two types of policies to control access to S3 buckets.

User-based (IAM) policies: These are the policies that we can attach to IAM roles and users.
Bucket policies: These are the resource-based policies attached to every bucket that controls access.

AWS combines these policies, so as long as either the bucket policy or IAM policy allows access, the user or principal has access to the bucket. An explicit denial in either policy will deny access.

Apart from the resource- and user-based policies, we can also use bucket and object access control lists (ACLs) to provide access to S3.

Bucket ACLs are a legacy access control mechanism that AWS introduced before IAM. Currently, AWS recommends only using IAM and bucket policies to control access to entire buckets.

Object ACLs allow us to implement fine-grained access control on the object level.

S3 bucket policy examples

Let’s dive into some examples of S3 policies.

Giving S3 access to other accounts

The following S3 policy can be used to give root users in the accounts 123123123123 and 987987987987 access to an S3 bucket.

Get hands-on with 1200+ tech skills courses.

Introduction

Getting Started with AWS

AWS IAM

AWS EC2

AWS Load Balancers and Auto Scaling Groups

AWS Storage Services

AWS Databases

AWS ElastiCache

AWS Elastic Beanstalk and CloudFront

AWS CloudFormation

AWS Monitoring

AWS VPC

AWS Route 53

AWS Security Services and Encryption

AWS Systems Manager

Important AWS Services

AWS SysOps Administrator Practice Exams

S3 and S3 Glacier Security Policies

S3 policies

S3 bucket policy examples

Giving S3 access to other accounts