S3 access policy Vs S3 bucket policies ... how they interact.


It's unclear to me how and S3 access policy interact with the S3 bucket policy. for example can I have a bucket policy that deny every action on the entire bucket for all the users (forget the root account) and then create an Access point with a policy that allow some users to get files?

or in other words, are the access policies independent from bucket policies, are they evaluated in sequence (so it's an AND) or it's an OR?

following up on the answers below:

It's interesting because both bucket policy and access point policy are resource policy. and in the mentioned page there is nothing about Evaluating resource-based policies with resource-based policies.

the documentation come here in our help: https://docs.aws.amazon.com/AmazonS3/latest/dev/creating-access-points.html

"For the access point policy to effectively grant access to Alice, the underlying bucket must also allow the same access to Alice. You can delegate access control from the bucket to the access point as described in Delegating access control to access points. Or, you can add the following policy to the underlying bucket to grant the necessary permissions to Alice. Note that the Resource entry differs between the access point and bucket policies."

so it seems is an AND: both access point and bucket policies must explicitly allow the access. but then. doesn't this defy the purpose of avoiding the limitation of the 20Kb policy on the S3 bucket??

profile pictureAWS
asked 4 years ago2691 views
1 Answer
Accepted Answer

Hopefully this helps answer the question and the original context for why we created AP's.

In short, AP Policies and Bucket Policies work together. Typically, customers create an AP and corresponding AP Policy to limit the size and complexity of a single bucket policy on a large shared S3 bucket. The AP Policy has a smaller "Blast Radius" for making changes/edits and auth lists in general. You can "narrow the scope" of authorization more precisely/easily with an AP Policy by limiting it to:

  • Specific Prefixes
  • Specific originating VPC
  • Specific Tags on Objects

You can then even use the bucket policy to further restrict access completely to the bucket to ONLY allow access to the bucket completely via an Access Point. This is the preferred method since customers who want Access Points do not want to manage access to the shared bucket via both AP Policies AND bucket policies. Though, if you choose to have both access methods setup with different users/groups/principals, they do work together and the most restrictive IAM guidelines still govern precedence. The replies above are correct. Denys will rule and most restrictive still wins.

Again, usually you want to just have the bucket policies set to point to the AP Policies to govern access to a shared bucket though. Much easier than managing BOTH bucket policies and AP policies.

To go even further, you can even use a SCP for AWS Orgs to restrict that all buckets be accessed via AP's.

Hope this helps

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions