If you use the policy generator to deny all s3 actions, you will get a JSON policy like below:
{
"Id": "Policy1601523169327",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1601523168462",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::[bucketname]",
"Principal": "*"
}
]
}
This policy does not actually block all actions, you can still put objects into the bucket via the CLI because the PUTOBJECT Api requires an object as the resource (EG: arn:aws:s3:::[bucketname]/*). Since we are referencing the bucket as a resource, and not all objects in it, we can still put objects.
Can we update the course, or get more clarification on this as the policy generator will not create all the correct resource types for each of the denied actions.
Thanks,