Certified Security - Specialty

Sign Up Free or Log In to participate!

Why does bucket policy not apply to public object but does apply when requiring secure transport?

In section S3 ACL access policy, about 9 mins into it, even though there is explicit deny all, the public object can be accessed using the https url. The explanation was that because it does not go through the authentication mechanism. But in section Forcing Encryption using S3, a bucket policy was used to force the access only through https. Why does the bucket policy apply in one case but not another?

1 Answers

In the S3 ACL lesson the deny all is not a bucket policy, it is an IAM policy. As such it cannot affect non IAM users. The bucket policy allows anyone to get the object, even unauthenticated users.

In the Forcing Encryption using S3 lesson, they use a bucket policy to again affect unauthenticated users.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?