Amazon s3-security

Two Types of Security

1. User-Based — IAM Policies

Attached to IAM users/roles. Controls what API calls they can make. Example: Allow John to upload but not delete.

2. Resource-Based — Three options:

Type	Scope	Use
Bucket Policy	Whole bucket	Most common. Cross-account access.
Object ACL	Per object	Fine-grained. Rarely used. Can be disabled.
Bucket ACL	Whole bucket	Less common. Can be disabled.

How Access Works

Simple rule:

(IAM says YES OR Bucket Policy says YES) AND (No explicit DENY)

Bucket Policy

JSON policy attached to a bucket. Four key fields:

Resources — which bucket/objects it applies to
Effect — Allow or Deny
Actions — what operations (e.g. s3:GetObject, s3:PutObject)
Principal — who ( = everyone, or specific account/user)

Example — Make bucket public:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicRead",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::your-bucket-name/*"]
    }
  ]
}

Two Types of Security

1. User-Based — IAM Policies

2. Resource-Based — Three options:

How Access Works

Bucket Policy

Block Public Access