Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post
sobre o re:Post

bucket policy vs IAM roles policy

0

I have a bucket policy mentioning some roles with only get and put object permission. I also have another Role and a separate policy attached to it having multipart upload permission along with KMS decrypt and generate data key permission attached to lambda function. While lambda execution , getting assumed role/lambdaname does not have generatedatakey permission. But the permission is there for the role. Should i add this role along with all permissions in the bucket policy. Does it have preference? I do have S3 vpc endpoint and kms:generatedatakey and KMS:Decrypt is not present there. Should i mention it there.

Tópicos
Segurança, identidade e conformidadeArmazenamento
Tags
Políticas do IAMPermissões de acesso Amazon S3
Idioma
English
feita há um ano386 visualizações
1 Resposta
1

Hi Khalid,

Rather than trying to reword it and be unprecise, I suggest you to go to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html to see how resource-based policies and identity-based policies work together.

The doc has nice charts that make it more visual so easier to understand.

Enter image description here

Best.

Didier

AWS
ESPECIALISTA
respondido há um ano
ESPECIALISTA
avaliado há um ano

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante