In the S3 bucket policies section, it was mentioned that the absence of wild card throwing an error while generating the policy and the same could be expected for the exam. I am able to generate the policy w/o the same. So this is now corrected ?
4 Answers
The problem is not with the policy generator, the policy generator will allow you to generate the policy without the trailing /* but when you apply that to an S3 Bucket the policy is rejected as invalid
Correct, the policy will fail without the trailing /* and do be aware for the exam, because there are lots of troubleshooting scenarios using policies.
I believe there are situations in which the "/*" is not supposed on the end. For example, when specifying bucket level actions (s3:GetBucketAcl) you will get an error if the "/*" is there. When specifying object level actions (s3:GetObject) you will get an error if the "/*" isn’t there. If you were to specify both bucket level and object level actions in the same statement you need both resources (with and without "/*"). However, if you specify both resources but only one of the two actions that also works. At least that’s been my experience so far.
The policy generator doesn’t generate the "/*" at all, even when its needed. So I believe you’ll need to know when to add "/*" when troubleshooting bucket policies.
If you are referring to adding the explicit deny and allow, i didn’t get the error as well. I played around with it, and it appears that when you specify a user, you have to use the wildcard. When you do not specify a user, no wildcard is necessary.
"Resource": "arn:aws:s3:::securitybucket",
"Principal": "*"
I also noticed this. Thank you. But is there someway we can determine for which actions we need to mentioned / in the resource for which action, we don’t need to add /?
I think it is better to use both in the resource section in that case, i.e "Resource": ["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"]
I agree, it seems to me that there isn’t a problem with the policy generator, but instead missing info about the resources inside the bucket when you only include the bucket arn. It seems to me that the policy looks for additional information (specific resource or folder). The * wildcard is used to tell the system that it should apply to all folders and objects within the bucket.
Adding to this… if you specify the /* inside the policy generator after your bucket arn you can generate JSON that pasted into the policy will work without the error because you already gave it the specific info about resources inside the bucket.