2 Answers
Thanks. we’ll take a look at that lecture and see if it needs an update
IMO the whitepaper is incorrect and incomplete whilst the course content is correct but not complete. I’m using whitepaper here https://d1.awsstatic.com/whitepapers/aws-security-whitepaper.pdf page 49 second bullet "Access Control Lists (ACLs). Within Amazon S3, you can use ACLs to give read or write access on buckets or objects to groups of users. With ACLs, you can only grant other AWS accounts (not specific users) access to your Amazon S3 resources"
As described by Ryan (03:10 to 04:51) in the current course content this can be done for a user in the same account using CLI or API using both the AWS account number and the canonical user id.
There’s also a step by step example on how to do this between two different accounts in the s3 documentation, again using the CLI or API. https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example3.html
Steve, sorry, but you’re wrong on that. The lecture is absolutely wrong. At 4:40, Ryan says "Yes you can apply object ACLs to individual IAM users". ACLs can only be applied to caonical IDs or e-mail addresses, ie: the ACL applies to the entire account. The link and your description further clarifies that it only operates at the account level. The documentation on canonical IDs even says, "The canonical user ID is an identifier for your account" https://docs.aws.amazon.com/general/latest/gr/acct-identifiers.html#FindingCanonicalId
Point is, there is no such thing as a canonical user ID for an IAM user. The only time an account might have more than one canonical ID (that I’m aware of) is with CloudFront distributions