- Newest
- Most votes
- Most comments
Hopefully this helps answer the question and the original context for why we created AP's.
In short, AP Policies and Bucket Policies work together. Typically, customers create an AP and corresponding AP Policy to limit the size and complexity of a single bucket policy on a large shared S3 bucket. The AP Policy has a smaller "Blast Radius" for making changes/edits and auth lists in general. You can "narrow the scope" of authorization more precisely/easily with an AP Policy by limiting it to:
- Specific Prefixes
- Specific originating VPC
- Specific Tags on Objects
You can then even use the bucket policy to further restrict access completely to the bucket to ONLY allow access to the bucket completely via an Access Point. This is the preferred method since customers who want Access Points do not want to manage access to the shared bucket via both AP Policies AND bucket policies. Though, if you choose to have both access methods setup with different users/groups/principals, they do work together and the most restrictive IAM guidelines still govern precedence. The replies above are correct. Denys will rule and most restrictive still wins.
Again, usually you want to just have the bucket policies set to point to the AP Policies to govern access to a shared bucket though. Much easier than managing BOTH bucket policies and AP policies.
To go even further, you can even use a SCP for AWS Orgs to restrict that all buckets be accessed via AP's.
Hope this helps
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 9 months ago