Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

bucket policy vs IAM roles policy

0

I have a bucket policy mentioning some roles with only get and put object permission. I also have another Role and a separate policy attached to it having multipart upload permission along with KMS decrypt and generate data key permission attached to lambda function. While lambda execution , getting assumed role/lambdaname does not have generatedatakey permission. But the permission is there for the role. Should i add this role along with all permissions in the bucket policy. Does it have preference? I do have S3 vpc endpoint and kms:generatedatakey and KMS:Decrypt is not present there. Should i mention it there.

Tópicos
Segurança, identidade e conformidadeArmazenamento
Tags
Políticas do IAMPermissões de acesso Amazon S3
Idioma
English
khalid
feita há 2 meses126 visualizações
1 Resposta
1

Hi Khalid,

Rather than trying to reword it and be unprecise, I suggest you to go to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html to see how resource-based policies and identity-based policies work together.

The doc has nice charts that make it more visual so easier to understand.

Enter image description here

Best.

Didier

profile pictureAWS
ESPECIALISTA
Didier_Durand
respondido há 2 meses
profile picture
ESPECIALISTA
Riku_Kobayashi
avaliado há 2 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante