A system admin is managing buckets, objects and folders with AWS S3. Which of the below mentioned
statements is true and should be taken in consideration by the sysadmin?
A.
The folders support only ACL
B.
Both the object and bucket can have an Access Policy but folder cannot have policy
C.
Folders can have a policy
D.
Both the object and bucket can have ACL but folders cannot have ACL
Explanation:
A sysadmin can grant permission to the S3 objects or the buckets to any user or make objects public using the
bucket policy and user policy. Both use the JSON-based access policy language. Generally if user is defining the
ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined
at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to
that bucket. It cannot be applied at the object level. The folders are similar to objects with no content. Thus,
folders can have only ACL and cannot have a policy.
D is correct, since you cannot set ACL on folder but only for bucket and object.
Agree. D
I think A is correct, because folder is object just have prefix.
Thus folder is objcet, so folder only support ACL.
D is correct
http://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html
create a folder in s3 bucket you won’t have permissions options.
D is the answer
A
D
A is *not* correct. First of all, ‘folders’ don’t exist in S3. The console API represents a folder hierarchy based on object key name. Next, the policy example in the following link will work just fine as a bucket policy if you add a Principal: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
ACLs are a legacy mechanism for administering permissions in S3, since S3 pre-dated IAM. It is *not* recommended to rely on ACLs. C is the only logical answer. If C is not the official answer, then the official answer is incorrect.
I think you mean D
From the S3 policy walkthrough: “Step 7: Secure the Private Folder ”
To ensure that the Private folder remains private, you can add the follow two deny statements to the group policy:
There are indeed folders in S3.
•Add the following statement to explicitly deny any action on resources in the Private folder (companybucket/Private/*).
{
“Sid”: “ExplictDenyAccessToPrivateFolderToEveryoneInTheGroup”,
“Action”: [“s3:*”],
“Effect”: “Deny”,
“Resource”:[“arn:aws:s3:::companybucket/Private/*”]<—FOLDER
}
A is correct
wait… I read it wrong
D is correct
arrgh……
You’re denying access to objects whose key prefix starts with “Private” in bucket named “company”. 🙂
Since Amazon is using terms “folder” and “folders” I guess D is correct.
d
D
D
D