Configuring S3 Bucket Access Controls for a Secure Public Website
Question
You are a solutions architect working as a consultant where you build web applications for clients.
One of your clients needs a static website hosted on AWS.
The website will predominantly host content files owned by the AWS account used to create the S3 bucket that will host the website.
However, some of the objects in the bucket are owned by a parent company's AWS account. How should you configure the S3 bucket access controls to achieve the most secure website that is accessible to the public? (Choose TWO)
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answers: B and D.
Option A is incorrect.
The objects owned by the parent company account need an access control list that grants read permission to all users.
This is because these objects are not controlled by the bucket policy, since they are not owned by the account used to create the bucket that will host the website.
Option B is correct.
If you create a bucket policy that grants s3:GetObject access to the objects in the bucket owned by the account used to create the bucket, they will become publicly readable.
Option C is incorrect.
You use a bucket policy to control access to objects in the bucket that are owned by the account used to create the bucket.
You don't use an ACL for this access control.
Option D is correct.
Since the account used to create the S3 bucket used to host the website is different from the parent company account, you need to use an ACL to control access to the objects owned by the parent company account.
Option E is incorrect.
The bucket policy will control access to objects owned by the account used to create the S3 bucket that will host the website.
Your bucket policy can't control access to objects owned by the parent company account.
You need to use an ACL to control access to objects owned by the parent company account.
References:
Please see the Amazon Simple Storage Service user guide titled Setting permissions for website access (https://docs.aws.amazon.com/AmazonS3/latest/userguide/WebsiteAccessPermissionsReqd.html), the Service Authorization reference page titled Actions, resources, and condition keys for Amazon S3 (https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html)
When configuring S3 bucket access controls for a static website, the goal is to provide the most secure website that is accessible to the public. In this scenario, some of the objects in the bucket are owned by a parent company's AWS account, and others are owned by the AWS account used to create the S3 bucket that will host the website. To achieve this goal, the following two options should be considered:
A. Create a bucket policy that grants s3:GetObject access to the objects owned by the parent company account. Bucket policies are used to grant permissions for a specific S3 bucket and can be used to grant access to users or accounts outside of the AWS account used to create the S3 bucket. In this case, a bucket policy can be created that grants s3:GetObject access to the objects owned by the parent company account. This option will allow the public to access the objects owned by the parent company account, which is necessary for the website to function correctly.
B. Create a bucket policy that grants s3:GetObject access to the objects in the bucket owned by the account used to create the S3 bucket that will host the website. In addition to granting access to the objects owned by the parent company account, a bucket policy can also be created that grants s3:GetObject access to the objects in the bucket owned by the account used to create the S3 bucket that will host the website. This option will allow the public to access the content files owned by the AWS account used to create the S3 bucket, which is necessary for the website to function correctly.
C. Create an object access control list to grant read permissions on objects owned by the account used to create the S3 bucket that will host the website. An object access control list (ACL) is a set of permissions attached to an object in S3. ACLs can be used to grant read or write permissions to specific AWS accounts or users. In this case, an ACL can be created to grant read permissions on objects owned by the AWS account used to create the S3 bucket that will host the website. However, this option is not the most appropriate since a bucket policy can be used to grant permissions to the entire bucket, which is more efficient.
D. Create an object access control list to grant read permissions on objects owned by the parent company account. Similar to option C, an ACL can be created to grant read permissions on objects owned by the parent company account. However, this option is not the most appropriate since a bucket policy can be used to grant permissions to the entire bucket, which is more efficient.
E. Create a bucket policy that grants s3:GetObject access to the objects owned by the parent company account and the objects owned by the account used to create the S3 bucket that will host the website. Option E combines the first two options, creating a bucket policy that grants s3:GetObject access to both the objects owned by the parent company account and the objects owned by the AWS account used to create the S3 bucket that will host the website. This option provides the necessary permissions to both accounts, allowing the public to access all the content files required for the website to function correctly.
In conclusion, the two options that should be considered when configuring the S3 bucket access controls for a static website that will predominantly host content files owned by the AWS account used to create the S3 bucket, and some owned by a parent company's AWS account, are to create a bucket policy that grants s3:GetObject access to the objects owned by the parent company account and to create a bucket policy that grants s3:GetObject access to the objects in the bucket owned by the account used to create the S3 bucket that will host the website.
