1 Answers
If I may add on to Luis’ excellent comment, I wanted to point out some nuances to bucket policies. Using the DENY policy at 14:05 as an example, the policy states:
If any Principal attempts to perform any S3 action on any object in the myacloudgurusecuritybucket, deny access.
This does indeed have the effect of denying any sort of access to the objects in the bucket. It does NOT, however, limit access to the bucket itself, as the bucket is not specified in the Resource line.
Given this, if a Principal is allowed to perform bucket-level actions, either through IAM or the bucket policy itself, they can perform those actions even with this policy in place.
For example, if a Principal is allowed to perform s3:PutBucketPolicy, even with this policy on the bucket, they will be able to change the "Deny" effect to "Allow", and will give themselves (and everyone else in the world, for that matter), access to the objects in the bucket.
Side note: If you do set up a Deny all policy on the bucket, no user will be able to perform any bucket operations. If I recall correctly, most, if not all of the s3:*Object commands require at least s3:ListBucket, so that keeps you from performing any object operations as well. The root user of the account will be able to change the bucket policy, even if they can’t do anything else.