loading...

re: AWS IAM Pt. 2 - A Practical Example VIEW POST

FULL DISCUSSION
 

while creating the custom policy for accountant, you created 3 separate policies. Wasnt the last one(with action = read and resource name = arn of the bucket) sufficient to let the accountant read the contents of the bucket?

 

The last policy allows the accountant to read any object on that bucket given that he has the specific URL of the object, and that he is using something like the AWS CLI with his credentials- which actually can't since he only has console access. He can't paste the URL on the browser and download the object since he is not authenticated.

The first two permissions grant the accountant the ability to list the objects on the bucket right from the AWS console. And, since he is already authenticated with AWS, he can then download the object because the last policy allows it.

code of conduct - report abuse