What does this policy define?

A sys admin has created the below mentioned policy and applied to an S3 object named aws.jpg. The aws.jpg
is inside a bucket named cloudacademy. What does this policy define?
“Statement”: [{
“Sid”: “Stmt1388811069831”,
“Effect”: “Allow”,
“Principal”: { “AWS”: “*”},
“Action”: [ “s3:GetObjectAcl”, “s3:ListBucket”, “s3:GetObject”],
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg”]
}]

A sys admin has created the below mentioned policy and applied to an S3 object named aws.jpg. The aws.jpg
is inside a bucket named cloudacademy. What does this policy define?
“Statement”: [{
“Sid”: “Stmt1388811069831”,
“Effect”: “Allow”,
“Principal”: { “AWS”: “*”},
“Action”: [ “s3:GetObjectAcl”, “s3:ListBucket”, “s3:GetObject”],
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg”]
}]

A.
It is not possible to define a policy at the object level

B.
It will make all the objects of the bucket cloudacademy as public

C.
It will make the bucket cloudacademy as public

D.
the aws.jpg object as public

Explanation:
A system admin can grant permission to the S3 objects or buckets to any user or make objects public using the
bucket policy and user policy. Both use the JSON-based access policy language. Generally if the user is defining
the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be
defined at the bucket level which allows the objects as well as the bucket to be public with a single policy
applied to that bucket. It cannot be applied at the object level.



Leave a Reply 0

Your email address will not be published. Required fields are marked *


Chef

Chef

Principal – The account or user who is allowed access to the actions and resources in the statement. You specify a principal only in a bucket policy. It is the user, account, service, or other entity who is the recipient of this permission. In a user policy, the user to which the policy is attached is the implicit principal.

“Principal”: { “AWS”: “*”}, All of AWS and * equal everyone

D.
the aws.jpg object as public

http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html

YENY

YENY

A is correct.

The bucket policy can be
defined at the bucket level which allows the objects as well as the bucket to be public with a single policy
applied to that bucket. It cannot be applied at the object level.

Joe

Joe

A is correct.
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg”] means this policy is applied to .jpg object, which is not allowed.

w00f

w00f

A is correct.

Bucket policy cannot be apply to object.

awsguy

awsguy

A is *not* correct. The following policy demonstrates the distinction between bucket-level and object-level permissions and associated syntax. The first statement block pertains to bucket-level permissions (ListBucket), and the second statement block to object-level permissions. http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3:::cloudacademy”
]
},
{
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:GetObjectAcl”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::cloudacademy/*.txt”
]
}
]
}

The answer is D.

awsguy

awsguy

I think the answer is A after all. I was thrown by the wording.

Yogi

Yogi

I think all 4 given options are wrong.

Answer should be:
“It will throw an error for the wrong action and does not allow to save the policy”

Reason:
The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. In the above policy the action says “S3:ListBucket” for effect Allow and when there is no bucket name mentioned as a part of the resource, it will throw an error and not save the policy.

Leonardo Gialluisi

Leonardo Gialluisi

Answer D is correct.

Simon Liang

Simon Liang

Agree with Yogi, I think all 4 options are wrong

BDA

BDA

I haven’t tried this in S3 due to free tier expiration. However, A is wrong, it is completely possbile to apply permissions at the object level. I think the problem may be the ListBucket mixed in with the object level permissions, and that is why A is correct – albeit due to poor English language skills on the webmaster. Otherwise, D is correct.

BDA

BDA

D is indeed the answer, this is from
http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “ExampleStatement1”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “arn:aws:iam::Account-ID:user/Dave”
},
“Action”: [
“s3:GetBucketLocation”,
“s3:ListBucket”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::examplebucket”
]
}
]
}

Stan

Stan

A is correct

Jiping

Jiping

[checked on AWS]

A may be the answer.

–case 1 — wrong — “Action does not apply to any resource(s) in statement”
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1388811069831444”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:GetObjectAcl”,
“s3:ListBucket”,
“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::mybucketname/*.txt”
]
}
]
}

–case 2 correct — removed “s3:ListBucket”,
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1388811069831444”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [
“s3:GetObjectAcl”,

“s3:GetObject”
],
“Resource”: [
“arn:aws:s3:::mybucketname/*.txt”
]
}
]
}

–case 3 correct — removed “s3:GetObjectAcl”,”s3:GetObject”, but change resouce to be an valid bucket name
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1388811069831444”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Action”: [

“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3:::mybucketname”
]
}
]
}

LV

LV

A seems to be the answer, the policy is applied at the bucket level, not at the object level. But it can have objects as targets.

And i don’t think that AWS:* means everyone, that would be *.