In this question "You have created a new S3 bucket and you would like to configure read and write access to this bucket, only for users who are members of the Development, Test and QA teams. Each team has a different IAM Group defined in AWS. Which of the following is the simplest way to configure this?"
The correct answer given is :
"Use a bucket policy to allow read and write access to the Development, Test and QA IAM groups"
As far as I know you cannot indicate groups as principals in policies. I am wrong?
This does not look to me as the right answer.
1 Answers
Yes, you are right!
You cannot specify IAM groups and instance profiles as principals.
Refer to "specifying a principal" section
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
I was going to raise the same, it would be kind of good if you could specify groups as a principal as it would be time-saving, but you can’t. I suspect that groups are really only used by AWS as shortcut to avoid explicitly attaching policies to users. Although that is probably what it is doing in the background.