A sysadmin has created the below mentioned policy on an S3 bucket named cloudacademy. The
bucket has both AWS.jpg and index.html objects. What does this policy define?
“Statement”: [{
“Sid”: “Stmt1388811069831”,
“Effect”: “Allow”,
“Principal”: { “AWS”: “*”},
“Action”: [ “s3:GetObjectAcl”, “s3:ListBucket”, “s3:GetObject”],
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg]
}]
A.
It will make all the objects as well as the bucket public
B.
It will throw an error for the wrong action and does not allow to save the policy
C.
It will make the AWS.jpg object as public
D.
It will make the AWS.jpg as well as the cloudacademy bucket as public
Explanation:
A sysadmin can grant permission to the S3 objects or the buckets to any user or make objects
public using the bucket policy and user policy. Both use the JSON-based access policy language.
Generally if user is defining the ACL on the bucket, the objects in the bucket do not inherit it and
vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well
as the bucket to be public with a single policy applied to that bucket. In the below policy the action
says “S3:ListBucket” for effect Allow and when there is no bucket name mentioned as a part of the
resource, it will throw an error and not save the policy.
“Statement”: [{
“Sid”: “Stmt1388811069831”,
“Effect”: “Allow”,“Principal”: { “AWS”: “*”},
“Action”: [ “s3:GetObjectAcl”, “s3:ListBucket”, “s3:GetObject”],
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg]
}]
B
Bucket policy cannot be object level.
Ans : B
B
Answer: B
Explanation:
A sysadmin can grant permission to the S3 objects or the buckets to any user or make objects public using the bucket policy and user policy. Both use the JSON-based access policy language. Generally if user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. In the below policy the action says “S3:ListBucket” for effect Allow and when there is no bucket name mentioned as a part of the resource, it will throw an error and not save the policy.