1. 개요

• User-Based
  • IAM Policies - which API calls should be allowed for a specific user from IAM
• Resource-Based
  • Bucket Policies - bucket wide rules from the S3 console - allows cross account
  • Object Access Control List (ACL) - finer grain (can be disabled)
  • Bucket Access Control List (ACL) - less common (can be disabled)
• Note: an IAM principal can access an S3 obejct if
  • The user IAM permissions ALLOW it OR the resource policy ALLOWS it
  • AND there’s no explicit DENY
• Encryption : encrypt objects in Amazon S3 using encryption keys

2. Bukcet Policies

{
	"Version":"2012-10-17",
	"Statement" : [
			{
					"Sid" : "PublicRead",
					"Effect" : "Allow",
					"Principal" : "*",
					"Action" : [
							"s3:GetObject"
					]
					"Resource" : [
							"arn:aws:s3:::examplebucket/*"
					]
			}
	]
}

• JSON based policies
  • Resources: buckets and obejcts
  • Effect: Allow / Deny
  • Actions : Set of API to Allow or Deny
  • Principal : The account or user to apply the policy to
• Use S3 bucket for policy to:
  • Grant Public access to the bucket
  • Force objects to be encrypted at upload