when adding the 2 policies in chapter 3.4 lab that contradicted (‘allow’, ‘deny’) the policy saved without the arn bucket suffix ‘/*’
2 Answers
This policy is displayed at 15:14 in this lesson.
The difference between needing to use the ‘/*’ on the bucket in the "Resource" statement is due to the listed "Actions" description.
The "Action":"s3"DeleteObject" is applied ‘on an object’ so the "Resource" arn is required to be specified at the ‘object-level’; the /* is required in the suffix describing the resource.
The "Action":"s3:*" is applied to the entire bucket contents, i.e., all objects by default. In this case, the "Resource" arn does not need to identify objects at the ‘object-level’ within the bucket, as the ‘Action’ is already being applied to ALL objects, i.e, the entire bucket.
So, specifying Actions ("s3":"DeleteObject") at an object level requires an /* at the end of the resource descriptor.
Specifying the Actions ("s3":"") with the all inclusive wildcard does not require the resource arn to require any further granular descriptor other than the bucket itself.
Just to add to this, If you are specifying the actions ("s3":"*"), you must realize that this contains all possible s3 operations, and so you will need two resource ARNs (one for the bucket level and another for the object level).
As an example, if the requester has s3:* permissions and is going to make a GetObject (object-level) and ListBucket (bucket-level) API call to the bucket, the resource value in the bucket policy must contain the ARN for both the bucket-level and the object-level resource to cater for these operations and to prevent a 403 Access Denied error.
Example:
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::examplebucket", (Bucket-level)
"arn:aws:s3:::examplebucket/*" (Object-level)
],
Reference
https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-arn-format.html