Aws IAM Roles vs Bucket Policies

2
votes

I have been reading a number of docs and watched number of videos, but I am still very confused about IAM Roles and Bucket policies. Here is what confuses me:

1) I create a bucket. At that time I can make it public or keep it private. If I make it public, then anyone, or any Application, can "see" the objects in the bucket. I think the permissions can be set to add/delete/get/list objects in the bucket. If this is the case, then why do I ever need to add any IAM Role for S3 buckets, or, add any Bucket policy (???)

2) At the time I create a bucket, can I give very specific permissions to only certain users/applications/EC2 instances etc to all or part of the bucket? e.g. App1 on EC2-X can access subfolder A in bucket B1.

3) Coming to IAM Roles, an EC2 role that gives full S3 access- what does it mean? Full access to any bucket? How can I restrict an app running on an EC2 to only certain buckets, with only certain restricted permissions (see #2) above)? Do all Apps on the EC2 have full access to all buckets? At the time of creating a bucket, can the permissions be so set that an IAM Role can be overruled?

4) Finally, what do Bucket Policies do in addition to the above IAM Roles? e.g is 'AllowS3FullAccess' a "Bucket Policy", or an "IAM Policy"? Why differentiate between types of policies- policies are just that- they define some permissions/rules on some objects/resources,as I see it.

Thanks for any clarifications. - a newcomer to AWS

1
amazon-web-servicesrolespolicies
Hopefully, this will help you: aws.amazon.com/blogs/security/…jarmod
Thanks, that was To get a hands-on experience, I created an admin user, and logged in as that user. Next I created a bucket. Under Permissions, I see buttons for ACL, Bucket Policy and CORS. The UI I am seeing here is nothing like what I am seeing in the various youtube videos.When I select ACL option, I am asked to ":Add access for your AWS Account", or "Add Access to Another AWS Account". I apologize for not getting this at all! What do they mean by adding access to 'another' AWS account? What about the users in my own AWS account? (I created two users with admin privileges). Frustrating!Satya Rao
Further reading on the UI help, it appears that the "ACL" button is now "a legacy policy option to provide basic read/write permissions to other AWS Accounts". I guess now there is no way to give permissions to individual users in the same account other than by using Bucket Policies.Satya Rao
Yes, you can give S3 permissions to individual users but you don't need to use bucket policies to do this. Simply create an IAM policy that allows the relevant actions on the specific bucket and then attach that policy to an IAM user (or to the group that the user is in). Example: aws.amazon.com/blogs/security/…jarmod

1 Answers

6
votes

I think you are confusing permissions for resources with IAM entities.

i) There are resources (S3 bucket, EC2 instances etc.) owned by the AWS account and these resources can be accessed by IAM users, IAM roles or other AWS Services (can be from same or different account)

ii) We manage who can access and their permission level with policies

iii) Policies can be identity based (attached to IAM user/group/role) or resource based (attached to S3 bucket, SNS topic)

iv) Resource based policy will have a Principal element but the identity based policies will not have that (because the attached IAM entity is the Principal)

v) Permissions start from default deny, allow overrides the default deny and an explicit deny overrides any allow

vi) Final access will be determined by combination of all policies

To answer your questions:

1> We cannot add (or attach) an IAM role with an S3 bucket. If you want your bucket should be public (which is not recommended but need to do it till some extent if it's in use for static website), then you can keep it public

2> It is not possible while creating the bucket. You have to do it after creating the bucket via IAM and/or S3 bucket policy

3> If an IAM role has AmazonS3FullAccess, the role can (Effect:Allow) call any S3 API (s3:) for any S3 resource (Resource:) in your account (provided they don't have cross account access). If multiple applications run on an instance with an IAM role attached and are using credentials provided by the role, their permission will be same.

4> I don't know where you got the reference AllowS3FullAccess but we cannot confirm unless we know the exact JSON. If it is attached to a bucket or has the Principal element, it is a bucket policy. You can use IAM and Bucket policies based on your need. Usually bucket policies are used for cross account access or if you want to manage S3 permission policies in a single place.