There is an improvement that can be made around the 9:15 mark in the S3 Bucket Policies video within the Certified Security Specialty course. Ryan states that the "/*" wildcard is necessary for Bucket Policies and that this question will come up on the exam but this is incorrect. Certain S3 Actions require that wildcard but that same wildcard will generate an error message for other Action commands.
For instance, Ryan’s video is using the s3:DeleteObject Action for his example and this Action requires the "/" Resource wildcard so that AWS knows the policies applies to ALL objects within that bucket, without that wildcard the AWS console will return an error in applying this policy. BUT – Using this same scenario with s3:DeleteBucket Action instead of s3:DeleteObject returns an error if the "/" wildcard is used in this ARN segment because the bucket DeleteBucket Action is to be applied to S3 buckets NOT objects within the buckets themselves.
Thanks for all the great work your ACG team is doing! With your help I was able to pass the Certified Cloud Practitioner and the Associate Solutions Architect exams.
4 Answers
Yes I think it is inconsistent the way that rule seems to apply! Sometimes you need to add the wildcard and sometimes not.. I’ll take a look at this and see if I can figure out when you need it and if there’s a reason behind it!
Thanks js.doolitte and Faye! I’ve researched this and figured out the consistent rationale. This rationale is important too because I took one of AWS’ own Security Specialty practice tests and understanding this rationale was required for me to get one of the practice test’s questions correct.
There are two kinds of AWS S3 Bucket "Actions": 1 – Object Operations and 2 – Bucket Operations. Object Operations Actions must be applied to a object or an array or objects while Bucket Operations Actions must be applied to a bucket or a selection of buckets. Therefore the se:DeleteObject action requires that it is applied to an object resource or a wildcard of object resources such as: "arn:aws:s3:::examplebucket/*". I have included the AWS’ link below that explains the topic perfectly.
https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html
Considering this topic is important enough for AWS to include it in their practice tests, I would think that the content in the ACG video should be updated accordingly whenever your team takes its next pass through making Security Specialty updates.
Yes thanks Brian et al. I tested this too. Essentially, its best practice to create two statements, one for object operations and one for bucket operations if you are pointing to a single bucket. For object operations the relative ars resource needs a / operator at the end. If you need to allow bucket operations on the same bucket ars do not add the / otherwise it will fail unless you are using a wildcard for all users in the principal parameter. Looks like explicit denies and allows permit the use of the / too although, I tested without the /* and they work fine without them.
I think the answer is to include both resource types for example.
"Action": [
"s3:DeleteBucket",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::testpolicybucket/*",
"arn:aws:s3:::testpolicybucket"
],
Whilst this will work today, it’s not always been consistent and is not a workaround for all services or resource types. Using the actions table for each AWS service will show which resources are supported for each action in an AWS service. For S3, the action table is here https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html and the complete list for all services is in the topics list at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
s3:DeleteObject requires a you to pass a resource that is either an object or an array of objects, "/*" returns an array of objects. I believe you can end with a "/" if you also add an object in that bucket to the ARN, although that would be a very strange use case. Adding "/" to the bucket ARN passes a bucket to s3:DeleteBucketAction. The s3:DeleteBucketObject function requires you to pass a bucket to the input parameters.
The details of which actions support which resources are found here in the actions table https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazons3.html