loading...

re: AWS IAM Pt. 2 - A Practical Example VIEW POST

TOP OF THREAD FULL DISCUSSION
re: while creating the custom policy for accountant, you created 3 separate policies. Wasnt the last one(with action = read and resource name = arn of ...
 

The last policy allows the accountant to read any object on that bucket given that he has the specific URL of the object, and that he is using something like the AWS CLI with his credentials- which actually can't since he only has console access. He can't paste the URL on the browser and download the object since he is not authenticated.

The first two permissions grant the accountant the ability to list the objects on the bucket right from the AWS console. And, since he is already authenticated with AWS, he can then download the object because the last policy allows it.

code of conduct - report abuse