Certified Security - Specialty

Sign Up Free or Log In to participate!

Why do you have S3 policies, but not for other AWS services?

I understand the advantages of being able to apply a policy directly to a bucket. But I don’t understand why this is only with S3 and not with other services. For example, why it is not possible to apply "DynamoDB policies" for example directly to DynamoDB tables?

2 Answers

Some other services do have their own policies.

Around 6 minutes into the lecture video we see the AWS Policy Generator, accessed from the S3 console, which offers to generate the following:

  • S3 bucket policy
  • SQS queue policy
  • VPC endpoint policy
  • IAM policy
  • SNS topic policy

As to why, I can only guess, but I would say that S3, SQS, VPC and SNS have their own policies because they were launched before IAM. Since IAM, there is one unified way to make policies for everything, so no need to reinvent it for each new service.

Jerry Hargrove’s History of Amazon Web Services is a table of AWS services sortable by date of announcement.

  • SQS – 2004
  • S3 – 2006
  • VPC – 2009
  • SNS – April 2010
  • IAM – September 2010


Resource-based policies are being rolled out on more services. Initially not a lot of services supported them, but today the coverage is pretty good. This page shows the support : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?