In the lecture, it’s stated that if you want to set permissions on the per-file level, you have to use ACLs. This does not appear to be correct. I was able to allow public access for a single object in one of my S3 buckets by specifying it in the Resource section of the policy, e.g.:
Furthermore, bucket policies allow you to set permissions on prefixes, e.g.:
"Resource": "arn:aws:s3:::[my-s3-bucket]/test-prefix/hello.txt"I understand that ACLs are a necessary topic for the exam.That being said, I’m fairly certain that bucket and IAM policies are still best practice regardless of the scope, as they are extremely explicit. Is there something I’m missing?
I had the same question. Yes bucket policies apply to the bucket and not at an individual folder or file level, but as you mentioned, in that bucket policy, you can specify rules for specific folders or files. Where it might come into play is if your bucket is large and you have a lot of individual file-specific rules. Then there’s the 20kb limitation . But the policy being just a test file, I think there’s still some margin.
I though about one more thing: Maybe the other thing to consider is that using the AWS Management Console an going into a bucket file to make it public for example, which is a very straight forward and easy way to do it; although the interface is just showing "Permissions" and not "Access Control List" (like for the bucket ACL) in the back it is changing the file’s ACL, not changing the bucket policy.
After sitting the exam, and thinking about it some more, my feeling is that your second line of thinking is probably correct. There’s some stuff on the AWS side of things which makes use of ACLs instead of bucket policy, including the "Make Public" button and transferring files between buckets (the bucket-owner-full-access canned ACL). If you want to copy/paste this second post as an Answer, I’ll gladly mark this as answered.