Certified Security - Specialty
  1. Rooms
  2. Certified Security - Specialty

Sign Up Free or Log In to participate!

Which answer is correct for this IAM quizz question ?

Following question from IAM quizz:

You have created a new S3 bucket and you would like to configure read and write access to this bucket, only for users who are members of the Development, Test and QA teams. Each team has a different IAM Group defined in AWS. Which of the following is the simplest way to configure this?

a) Use a bucket policy to allow read and write access to the Development, Test and QA IAM groups

b) Configure public access on the S3 bucket

c) Create an IAM policy allowing read / write access to only this bucket and attach it to each user in the Development, Test and QA teams

d)Attach an IAM policy which gives S3FullAccess to the Development, Test and QA IAM groups

In my opinion , the question a) cannot be the correct one, because it is not possible to use an IAM group as a principal in a bucket policy – only IAM Role or IAM User or AWS Account ID are allowed. So why is here a) the right one ? I did not understand.

I would choose d) because this would be possible – even the "S3FullAccess" are too much rights – but it would work.

b) and c) are not possible.

Thx for ideas,

Chris

2 Answers

Hi Chris,

Here is the exact wording of the answers for this question.

a) Use a bucket policy to allow read and write access to the Development, Test and QA IAM groups  
b) Configure public access on the S3 bucket  
c) Create an IAM policy allowing read / write access to only this bucket and attach it 
    to each user in the Development, Test and QA teams  
d) Attach an IAM policy which gives S3FullAccess to the Development, Test and QA IAM groups

Explanations for why each answer is right/wrong.

a) This is the correct answer as you can restrict the access for a bucket with Groups/Users


{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Effect": "Allow",

      "Principal": {

        "AWS": ["arn:aws:iam::111122223333:group/Develop",

                      "arn:aws:iam::111122223333:group/QA",

                      "arn:aws:iam::111122223333:group/Test"]

      },

      "Action": ["s3:Get*", "s3:Put*"],

      "Resource": ["arn:aws:s3:::my_bucket",

                            "arn:aws:s3:::my_bucket/*"]

      }

  ]

}

b) This is incorrect as it would allow anyone to read the objects in the bucket.

c) This is close to being correct, but a lot of work. Having a policy attached to each individual user can become a tedious task that would need to be repeated each time you need create a new user.

d) This one is incorrect as well because as you put it "provides too much rights."

When going through the questions for Specialty and Professional level certifications, you will be presented with more than one option that could be a valid solution. You will need to pick the most correct one based on the wording of the question.

Russell

Nice answer 🙂

Hi T.J.,

sorry, but your bucket policy cannot work – if you configure your bucket policy by referencing an IAM group as principal you will get an "Error: Invalid principal in policy.

Please try it – and further more please check the policy documentation

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

where it is clear explained, that you cannot use an "IAM group" as a principal. Please scroll down to section ..

"Specifying a Principal

You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups and instance profiles as principals."

Thx for further comments,

Chris   

JN

Chris is correct, you cannot add an IAM group as a principal to the bucket policy. You will get the error: "Invalid principal in policy"

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Don't have an account?

Get Started
Who’s going to be learning?
MyselfMy Organization