A sys admin has created the below mentioned policy and applied to an S3 object named aws.jpg.
The aws.jpg is inside a bucket named cloudacademy. What does this policy define?
“Statement”: [{
“Sid”: “Stmt1388811069831”,
“Effect”: “Allow”,
“Principal”: { “AWS”: “*”},
“Action”: [ “s3:GetObjectAcl”, “s3:ListBucket”, “s3:GetObject”],
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg”]
}]
A.
It is not possible to define a policy at the object level
B.
It will make all the objects of the bucket cloudacademy as public
C.
It will make the bucket cloudacademy as public
D.
the aws.jpg object as public
Explanation:
A system admin can grant permission to the S3 objects or buckets to any user or make objects
public using the bucket policy and user policy. Both use the JSON-based access policy language.
Generally if the user is defining the ACL on the bucket, the objects in the bucket do not inherit it
and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as
well as the bucket to be public with a single policy applied to that bucket. It cannot be applied at
the object level.
A. policy is not supported for object level.
A
Disagree with A – https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/
D is the answer
The policy is document is associated to the bucket, there is no way to define a policy document to an object
Permissions at the object level are possible. http://docs.aws.amazon.com/AmazonS3/latest/UG/EditingPermissionsonanObject.html
Permissions (ACL) and policies are not the same things
I think B is the answer as permissions can be applied at the object level. Since *.jpg would include all the jpg files in the cloudacademy bucket, it supports B as the answer.
The cloudacademy bucket could have objects other than *.jpg and the policy won’t make them public. I would go with D.
Answer is A to pass exam
Explanation:
A system admin can grant permission to the S3 objects or buckets to any user or make objects public using the bucket policy and user policy. Both use the JSON-based access policy language. Generally if the user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. It cannot be applied at the object level.
A
The answer is: D
The bucket policy is essentially saying from anywhere, any file within the bucket (placed new) will inherit this policy. Thus, since it is restricting the resources to *.jpg only, only objects that match the keyname of *.jpg will be visible. Any other objects would not be.
Action: Allow
From (Principal): * (Anywhere)
Resource (to): specific resource or bucket / type of file
The policy would actually look like this:
{
“Id”: “PolicyIDXXXXX”,
“Version”: “2012-10-17”,
“Statement”: [
{
“Sid”: “Stmt1490379766358”,
“Action”: [
“s3:GetObject”,
“s3:GetObjectAcl”,
“s3:ListBucket”
],
“Effect”: “Allow”,
“Resource”: “arn:aws:s3:::cloudacademy/*.jpg”,
“Principal”: “*”
}
]
}
A is Correct
As the accepted Policy on the Object level will Be ACL and it is not JSON it is XML so it is not the above one
D
I think D
http://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-object-permissions.html
How Do I Set Permissions on an Object?
This section explains how to use the Amazon Simple Storage Service (Amazon S3) console to manage access permissions for an S3 object by using access control lists (ACLs). ACLs are resource-based access policies that grant access permissions to buckets and objects. For more information about managing access permissions with resource-based policies, see Overview of Managing Access in the Amazon Simple Storage Service Developer Guide.
Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you can’t access that user’s objects unless the user explicitly grants you access.
You can grant permissions to other AWS accounts or predefined groups. The user or group that you grant permissions to is called the grantee. By default, the owner, which is the AWS account that created the bucket, has full permissions.
Each permission you grant for a user or a group adds an entry in the ACL that is associated with the object. The ACL lists grants, which identify the grantee and the permission granted. For more information about ACLs, see Managing Access with ACLs in the Amazon Simple Storage Service Developer Guide.