Correct Policy Statement for Amazon S3 Bucket Access
Question
Your organization uses Amazon S3 buckets to save critical project documents.
You have created a Bucket “test2021bucket” for this purpose.
Users (UserA & UserB) need the Get, Put & Delete access to their individual folders.
In the future, the policy needs to be unique when replicated to many users globally.
Which of the following is a correct policy statement that can be applied with the least effort to meet this requirement?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: D.
Instead of creating multiple access policies for each user, a single policy can be created with a policy variable & attached to a group.
In the above case, UserA & UserB can be added to a single group.
Using a policy variable ${aws:userid}, an access policy is created which evaluates user id for each user & grants access with specified actions only to individual folders created based upon user id.
Option A is incorrect as this will allow users to access all data in test2021bucket & will not restrict to individual folders in this bucket.
Option B is incorrect.
Instead of creating a Policy statement for each user, a policy variable can be used to grant access to each user with the specific user id.
Option C is incorrect.
Although IAM user names are friendly, human-readable identifiers, they are not required to be globally unique.
For example, if user Bob leaves the organization and another Bob joins, then new Bob could access old Bob's information.
Users with identical names will be able to access each other's folders in these buckets.
Instead of user name, using the User ID, which is unique for each user, is a more secure option.
For more information on S3 User policy, refer to the following URL-
https://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.htmlOut of the given options, option B is the correct policy statement that can be applied with the least effort to meet the requirement.
Option A allows all users to access all the folders within the bucket, which is not the requirement.
Option C is using an AWS policy variable "${aws:username}" which is used to fetch the username of the user accessing the resource. However, this option is not applicable to this requirement as it is creating a policy that allows users to access their own folders only.
Option D is using an AWS policy variable "${aws:userid}" which is used to fetch the unique ID of the user accessing the resource. However, this option is not applicable to this requirement as it is creating a policy that allows users to access their own folders only.
Option B specifies that UserA and UserB should have access to their individual folders only. Therefore, it is the correct policy statement that can be applied to meet the requirement with the least effort. The policy statement specifies the S3 actions "s3:PutObject", "s3:GetObject", and "s3:DeleteObject" that are allowed for the users on the specific bucket and folder path "arn:aws:s3:::test2021bucket/UserA/*".
In the future, the policy needs to be unique when replicated to many users globally. This means that the same policy can be used for many users globally without the need to create a separate policy for each user. The policy can be applied to a group of users by creating an IAM group, adding the required users to the group, and attaching the policy to the group.
