☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS Identity and Access Management (IAM)/
🔷
IAM for S3
🔷

IAM for S3

Bucket-Level Permissions

  • Permissions like s3:ListBucket apply to the bucket resource itself, e.g.:
    • arn:aws:s3:::test
  • Controls actions at the bucket level, such as listing the objects it contains, but does not grant access to the objects themselves.

Object-Level Permissions

  • Permissions such as s3:GetObject, s3:PutObject, and s3:DeleteObject apply to the objects inside a bucket, e.g.:
    • arn:aws:s3:::test/*
  • Grants the ability to retrieve, upload, or delete specific objects.

Resource Policies & aws:PrincipalOrgID

aws:PrincipalOrgID Condition

  • Can be used in S3 bucket policies (or other resource policies) to restrict access to AWS accounts within a specific AWS Organization.
  • Enforces organization-wide resource access control.

Example Use Case

  • Bucket: 2022-financial-data
  • Policy includes a condition:
    • Effect:
      • Only AWS accounts that are members of the Organization o-yyyyyyyyyy can access the bucket.
      • Requests from outside the Organization are automatically denied, regardless of IAM user permissions.