bucket policy vs IAM roles policy

0

I have a bucket policy mentioning some roles with only get and put object permission. I also have another Role and a separate policy attached to it having multipart upload permission along with KMS decrypt and generate data key permission attached to lambda function. While lambda execution , getting assumed role/lambdaname does not have generatedatakey permission. But the permission is there for the role. Should i add this role along with all permissions in the bucket policy. Does it have preference? I do have S3 vpc endpoint and kms:generatedatakey and KMS:Decrypt is not present there. Should i mention it there.

khalid
feita há 3 meses139 visualizações
1 Resposta
1

Hi Khalid,

Rather than trying to reword it and be unprecise, I suggest you to go to https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html to see how resource-based policies and identity-based policies work together.

The doc has nice charts that make it more visual so easier to understand.

Enter image description here

Best.

Didier

profile pictureAWS
ESPECIALISTA
respondido há 3 meses
profile picture
ESPECIALISTA
avaliado há 3 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas