Defining Resources in S3 Bucket Policies
Resource-Based Policies for IAM
Within IAM, there are two different ways to define permissions via policies: resource-based policies and identity-based policies. With either policy type, you must ensure that undefined resource access is not present. In this demo, AWS expert Mike Wise will focus on resource-based policies for S3 buckets. In this use case, the policy controls access to the bucket and the objects in the bucket.
- From the AWS Management Console, navigate to the S3 console, then the Buckets section.
- Select a S3 bucket to be analyzed, then open the Permissions tab.
- Clicking on Bucket Policy will show you the JSON file for this bucket’s policy. Does the JSON file contain "Resourcename:*" which would indicate undefined resource access?
For a visual guide on how to modify S3 bucket policies, watch the full demo. Learn more about adding a bucket policy using the Amazon S3 console here.
So, for this particular demo we’re going to go look at S3. We’ll look at a bucket policy and we’re going to go see where it has defined a resource that is going to be inactive. Let’s go look at the permissions for this. Now, go look at the “Bucket Policy.” We’re going to see that we have a resource name defined within this bucket. This basically is saying that the resource that is being defined here is only available for this specific bucket. So, you notice that there is no "Resourcename:*" defined, that is only going to be applied to this specific bucket. Now, alternatively there could be a policy created that would be created additionally by itself that would say "Resourcename:*" instead of having the bucket name defined. That would be a problem and would be something you would not want to create.