A customer wants to leverage Amazon Simple Storage Service (S3) and Amazon Glacier as part of their
backup and archive infrastructure. The customer plans to use third-party software to support this integration.
Which approach will limit the access of the third party software to only the Amazon S3 bucket named
“company-backup”?
A.
A custom bucket policy limited to the Amazon S3 API in thee Amazon Glacier archive “company-backup”
B.
A custom bucket policy limited to the Amazon S3 API in “company-backup”
C.
A custom IAM user policy limited to the Amazon S3 API for the Amazon Glacier archive “company-backup”.
D.
A custom IAM user policy limited to the Amazon S3 API in “company-backup”.
D
http://www.aiotestking.com/amazon/which-approach-will-limit-the-access-of-the-third-party-software-to-only-the-amazon-s3-bucket-named-ampquotcompanybackupampquot/
B
http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resource
When it comes to S3, i stick with bucket policies for control
When to use IAM policies vs. S3 policies
Use IAM policies if:
You need to control access to AWS services other than S3. IAM policies will be easier to manage since you can centrally manage all of your permissions in IAM, instead of spreading them between IAM and S3.
You have numerous S3 buckets each with different permissions requirements. IAM policies will be easier to manage since you don’t have to define a large number of S3 bucket policies and can instead rely on fewer, more detailed IAM policies.
You prefer to keep access control policies in the IAM environment.
Use S3 bucket policies if:
You want a simple way to grant cross-account access to your S3 environment, without using IAM roles.
Your IAM policies bump up against the size limit (up to 2 kb for users, 5 kb for groups, and 10 kb for roles). S3 supports bucket policies of up 20 kb.
You prefer to keep access control policies in the S3 environment.
If you’re still unsure of which to use, consider which audit question is most important to you:
If you’re more interested in “What can this user do in AWS?” then IAM policies are probably the way to go. You can easily answer this by looking up an IAM user and then examining their IAM policies to see what rights they have.
If you’re more interested in “Who can access this S3 bucket?” then S3 bucket policies will likely suit you better. You can easily answer this by looking up a bucket and examining the bucket policy.
https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
Attach this IAM POLICY to a user created in IAM and that’s it:
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [“s3:ListBucket”],
“Resource”: [“arn:aws:s3:::company-backup”]
},
{
“Effect”: “Allow”,
“Action”: [
“s3:PutObject”,
“s3:GetObject”,
“s3:DeleteObject”
],
“Resource”: [“arn:aws:s3:::company-backup/*”]
}
]
}
Meaning answer is D