I understand the advantages of being able to apply a policy directly to a bucket. But I don’t understand why this is only with S3 and not with other services. For example, why it is not possible to apply "DynamoDB policies" for example directly to DynamoDB tables?
2 Answers
Some other services do have their own policies.
Around 6 minutes into the lecture video we see the AWS Policy Generator, accessed from the S3 console, which offers to generate the following:
- S3 bucket policy
- SQS queue policy
- VPC endpoint policy
- IAM policy
- SNS topic policy
As to why, I can only guess, but I would say that S3, SQS, VPC and SNS have their own policies because they were launched before IAM. Since IAM, there is one unified way to make policies for everything, so no need to reinvent it for each new service.
Jerry Hargrove’s History of Amazon Web Services is a table of AWS services sortable by date of announcement.
- SQS – 2004
- S3 – 2006
- VPC – 2009
- SNS – April 2010
- IAM – September 2010
Resource-based policies are being rolled out on more services. Initially not a lot of services supported them, but today the coverage is pretty good. This page shows the support : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
100%