A sysadmin has created the below mentioned policy on an S3 bucket named cloudacademy. The bucket has
both AWS.jpg and index.html objects. What does this policy define?
“Statement”: [{
“Sid”: “Stmt1388811069831”,
“Effect”: “Allow”,
“Principal”: { “AWS”: “*”},
“Action”: [ “s3:GetObjectAcl”, “s3:ListBucket”, “s3:GetObject”],
“Resource”: [ “arn:aws:s3:::cloudacademy/*.jpg]
}]
A.
It will make all the objects as well as the bucket public
B.
It will throw an error for the wrong action and does not allow to save the policy
C.
It will make the AWS.jpg object as public
D.
It will make the AWS.jpg as well as the cloudacademy bucket as public
It is because the statement doesn’t have version.
0
0
This will make all .jpgs public. The answers needs to be fixed.
0
0
Policies are bucket level. ACLs can be bucket or object.
The answer should read like the below.
A. It is not possible to define a policy at the object level
0
0
The policy was applied to the Resource level , but it affect the object aws.jpeg .
I don’t see any article that mention the policies can’t define access to objects.
0
0
B is correct.
It is not possible to define a policy at the object level.
Object has only ACLs.
0
0
Policy at object level is no no. It will throw error. Hence, B
0
0
B
0
0
b
0
0
why it is not possible to define access policy at the object level ?
Access policy describes who has access to what. You can associate an access policy with a resource (bucket and object) or a user
http://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-overview.html
0
0
“A sysadmin can grant permission to the S3 objects or the buckets to any user or make objects public using the bucket policy and user policy. Both use the JSON-based access policy language. Generally if user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level
which allows the objects as well as the bucket to be public with a single policy applied to that bucket.
In the policy, the action says “S3:ListBucket” for effect Allow and when there is no bucket name mentioned as a part of the resource, it will throw an error and not save the policy.”
So B is still the answer 🙂
0
0
Perfect ans B with proper explanation for error.
0
0
Isn’t “cloudacademy” the bucket name? It’s listed as a resource
0
0
“arn:aws:s3:::cloudacademy/*.jpg
it will throw an error
apostrophe is not closed
0
0
Gives an error, cannot have listbucket at object level, need a separate statement for that.
0
0