S3 security

Question 1

S3 public or private?

Answer 1

Private but default, only ROOT has access to S3 initially.

Other permissions need to be granted explicitly.

Question 2

What does the feature - Block public access - do in S3?

Answer 2

Prevents data leak. It is a security layer that acts regardless of the resource permissions or policies attached to the bucket say. They apply only to public access permissions, not to any of the defined AWS identities.

Question 3

At what level is the - Block public access - of an S3 bucket set?

Answer 3

It is set at the bucket level.

Question 4

What is a bucket policy?

Answer 4

It is like identity policies but attached to resources. This will state WHO can access the resource (ALLOW/DENY)

Question 5

What is the difference between bucket policies and identity policies?

Answer 5

Resource policies are attached to resources and identity policies are attached to identities.
RP delimits WHO can access the resource and IP delimits WHAT that resource can access.

Question 6

To who can identity policies be attached?

Answer 6

Only to identities in your account. Identity policies can only control security in your account!

Question 7

Can identity policies control access to other accounts / external accounts?

Answer 7

No, identity policies can only control access for identities in your account, it can’t grant cross-account access.

Question 8

Can bucket policies ALLOW/DENY access to different accounts?

Answer 8

Yes, bucket policies can ALLOW/DENY access to whoever is the source, anonymous, same account, or different accounts and this is a MAJOR benefit.

Question 9

Can identity policies grant permissions to anonymous identities?

Answer 9

No, they can only influence identities that are known and in the same account.

Question 10

To who can bucket policies ALLOW/DENY access to?

Answer 10

Same account, different accounts, and anonymous principals.

Question 11

How many statements can a bucket policy have?

Answer 11

Multiple, each one can affect a different principal.

Question 12

How can you differentiate if a policy is a resource policy or an identity policy?

Answer 12

Only resource policies make explicit what is the principal that the policy applies to.
If it is there, it is probably a resource policy.

Question 13

In bucket policies, how do you apply a statement to anonymous principals?

Answer 13

By using wildcards in the principal field (*).

Question 14

What are the most used conditions that can be used in bucket policies?

Answer 14

Block or allow certain IP addresses.

Allow or deny access if you are using MFA.

Question 15

Can bucket policies force you to encrypt objects at upload?

Answer 15

Yes. It can be exclusive or inclusive

Question 16

How many bucket policies can you attach to a bucket?

Answer 16

Only 1.

Question 17

How many statements can a bucket policy have?

Answer 17

Multiple.

Question 18

What policies apply to an anonymous principal?

Answer 18

Only bucket policies.

Question 19

What policies apply to identities in the same account as the bucket?

Answer 19

Bucket policies + resource policies, because the principal is authenticated.

Question 20

What are the conditions for an external account to access your S3 bucket?

Answer 20

First, you need to have a bucket policy allowing access to the bucket from that external account.
Lastly, the external account needs to have access to S3 in general.

Question 21

Does AWS recommend the use of ACLs?

Answer 21

No, it is a legacy and AWS recommends using bucket policies or identity policies.

Question 22

What are the disadvantages of using ACLs?

Answer 22

They are inflexible.

Question 23

Powerup

Answer 23

Identity: controlling different resources.
Identity: when you have a preference for IAM and centralized control.
Identity: same account.
Bucket: just controlling S3 (no other services but specific products).
Bucket: anonymous or cross-account access.
ACLs: NEVER - unless you must.