DEV Community


Discussion on: AWS IAM Pt. 2 - A Practical Example

stuffycloud95 profile image

while creating the custom policy for accountant, you created 3 separate policies. Wasnt the last one(with action = read and resource name = arn of the bucket) sufficient to let the accountant read the contents of the bucket?

david_ojeda profile image
David Ojeda Author

The last policy allows the accountant to read any object on that bucket given that he has the specific URL of the object, and that he is using something like the AWS CLI with his credentials- which actually can't since he only has console access. He can't paste the URL on the browser and download the object since he is not authenticated.

The first two permissions grant the accountant the ability to list the objects on the bucket right from the AWS console. And, since he is already authenticated with AWS, he can then download the object because the last policy allows it.