A sys admin has created the below mentioned policy and applied to an S3 object named aws.jpg. The aws.jpg
is inside a bucket named cloudacademy. What does this policy define?
“Statement”: [{
“Sid”: “Stmt1388811069831”,
“Effect”: “Allow”,
“Principal”: { “AWS”: “*”},
“Action”: [ “s3:GetObjectAcl”, “s3:ListBucket”, “s3:GetObject”],
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg”]
}]
A.
It is not possible to define a policy at the object level
B.
It will make all the objects of the bucket cloudacademy as public
C.
It will make the bucket cloudacademy as public
D.
the aws.jpg object as public
Explanation:
A system admin can grant permission to the S3 objects or buckets to any user or make objects public using the
bucket policy and user policy. Both use the JSON-based access policy language. Generally if the user is defining
the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be
defined at the bucket level which allows the objects as well as the bucket to be public with a single policy
applied to that bucket. It cannot be applied at the object level.
Principal – The account or user who is allowed access to the actions and resources in the statement. You specify a principal only in a bucket policy. It is the user, account, service, or other entity who is the recipient of this permission. In a user policy, the user to which the policy is attached is the implicit principal.
“Principal”: { “AWS”: “*”}, All of AWS and * equal everyone
D.
the aws.jpg object as public
http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
A is correct.
The bucket policy can be
defined at the bucket level which allows the objects as well as the bucket to be public with a single policy
applied to that bucket. It cannot be applied at the object level.
A is correct.
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg”] means this policy is applied to .jpg object, which is not allowed.
A is correct.
Bucket policy cannot be apply to object.
A is *not* correct. The following policy demonstrates the distinction between bucket-level and object-level permissions and associated syntax. The first statement block pertains to bucket-level permissions (ListBucket), and the second statement block to object-level permissions. http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3:::cloudacademy”
]
},
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:GetObjectAcl”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::cloudacademy/*.txt”
]
}
]
}
The answer is D.
I think the answer is A after all. I was thrown by the wording.
I think all 4 given options are wrong.
Answer should be:
“It will throw an error for the wrong action and does not allow to save the policy”
Reason:
The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. In the above policy the action says “S3:ListBucket” for effect Allow and when there is no bucket name mentioned as a part of the resource, it will throw an error and not save the policy.
Answer D is correct.
Agree with Yogi, I think all 4 options are wrong
a
I haven’t tried this in S3 due to free tier expiration. However, A is wrong, it is completely possbile to apply permissions at the object level. I think the problem may be the ListBucket mixed in with the object level permissions, and that is why A is correct – albeit due to poor English language skills on the webmaster. Otherwise, D is correct.
D is indeed the answer, this is from
http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “ExampleStatement1”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::Account-ID:user/Dave”
},
“Action”: [
“s3:GetBucketLocation”,
“s3:ListBucket”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::examplebucket”
]
}
]
}
A is correct
[checked on AWS]
A may be the answer.
–case 1 — wrong — “Action does not apply to any resource(s) in statement”
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1388811069831444”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:GetObjectAcl”,
“s3:ListBucket”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::mybucketname/*.txt”
]
}
]
}
–case 2 correct — removed “s3:ListBucket”,
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1388811069831444”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:GetObjectAcl”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::mybucketname/*.txt”
]
}
]
}
–case 3 correct — removed “s3:GetObjectAcl”,”s3:GetObject”, but change resouce to be an valid bucket name
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1388811069831444”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3:::mybucketname”
]
}
]
}
A seems to be the answer, the policy is applied at the bucket level, not at the object level. But it can have objects as targets.
And i don’t think that AWS:* means everyone, that would be *.