Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

bucket policy vs IAM roles policy

0

I have a bucket policy mentioning some roles with only get and put object permission. I also have another Role and a separate policy attached to it having multipart upload permission along with KMS decrypt and generate data key permission attached to lambda function. While lambda execution , getting assumed role/lambdaname does not have generatedatakey permission. But the permission is there for the role. Should i add this role along with all permissions in the bucket policy. Does it have preference? I do have S3 vpc endpoint and kms:generatedatakey and KMS:Decrypt is not present there. Should i mention it there.

Themen
Sicherheit, Identität & KonformitätSpeicher
Tags
IAM-RichtlinienAmazon S3 Access Grants
Sprache
English
khalid
gefragt vor 2 Monaten126 Aufrufe
1 Antwort
1

Hi Khalid,

Rather than trying to reword it and be unprecise, I suggest you to go to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html to see how resource-based policies and identity-based policies work together.

The doc has nice charts that make it more visual so easier to understand.

Enter image description here

Best.

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 2 Monaten
profile picture
EXPERTE
Riku_Kobayashi
überprüft vor 2 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt