1 00:00:06,394 --> 00:00:08,113 - [Instructor] Okay, so now let's walk through 2 00:00:08,113 --> 00:00:11,196 a demo of applying a resource policy. 3 00:00:13,246 --> 00:00:15,621 Again, I'm logged into the console. 4 00:00:15,621 --> 00:00:18,605 From here, this particular demo, I'm going to apply 5 00:00:18,605 --> 00:00:20,617 a Resource Policy 6 00:00:20,617 --> 00:00:22,561 to an S3 bucket. 7 00:00:22,561 --> 00:00:26,394 So, from here, I'm gonna go to the S3 service. 8 00:00:28,703 --> 00:00:30,932 And you can see, I have a number of buckets 9 00:00:30,932 --> 00:00:34,612 that I've created over time from various different projects. 10 00:00:34,612 --> 00:00:37,619 And one example, for this demo: We're going to take 11 00:00:37,619 --> 00:00:40,905 a look at my TalentedMrJones.com bucket. 12 00:00:40,905 --> 00:00:43,401 So this particular bucket is where I host 13 00:00:43,401 --> 00:00:45,984 my TalentedMrJones.com website. 14 00:00:47,081 --> 00:00:50,390 I have this bucket configured to host a static website 15 00:00:50,390 --> 00:00:53,014 but there's one thing that I need to do in order to allow 16 00:00:53,014 --> 00:00:54,872 anonymous users the ability 17 00:00:54,872 --> 00:00:58,018 to read the things from that bucket. 18 00:00:58,018 --> 00:01:00,769 So, I'm going to click through to that bucket 19 00:01:00,769 --> 00:01:04,868 and I'm going to click on the properties of it. 20 00:01:04,868 --> 00:01:08,153 So, I'm looking at the properties of the bucket itself. 21 00:01:08,153 --> 00:01:09,175 You can see I have a number 22 00:01:09,175 --> 00:01:12,321 of different objects within the bucket. 23 00:01:12,321 --> 00:01:15,328 And in order for anonymous users to be able to read this 24 00:01:15,328 --> 00:01:19,903 I need to go Permissions and Add A Bucket Policy. 25 00:01:19,903 --> 00:01:23,641 So, from here, I'm going to Add A Bucket Policy. 26 00:01:23,641 --> 00:01:26,010 Now, I could copy and paste in here, 27 00:01:26,010 --> 00:01:28,390 if I already had it available, which I don't. 28 00:01:28,390 --> 00:01:31,733 So, I'm going to click the Policy Generator 29 00:01:31,733 --> 00:01:34,438 and from here you can see that there are 30 00:01:34,438 --> 00:01:37,594 a number of services that allow us to create 31 00:01:37,594 --> 00:01:38,879 and these aren't all of them. 32 00:01:38,879 --> 00:01:41,096 There are other services that allow us 33 00:01:41,096 --> 00:01:43,918 to create resource-based policies. 34 00:01:43,918 --> 00:01:47,335 I'm going to choose the S3 Bucket Policy. 35 00:01:48,341 --> 00:01:49,932 I'm going to Allow. 36 00:01:49,932 --> 00:01:52,207 I'm going to put * for anyone. 37 00:01:52,207 --> 00:01:54,634 That means, essentially, anonymous users. 38 00:01:54,634 --> 00:01:56,551 Everyone is allowed to: 39 00:01:58,047 --> 00:02:02,122 I'm going to choose a very specific action here 40 00:02:02,122 --> 00:02:04,363 called GetObject. 41 00:02:04,363 --> 00:02:08,333 Just that one action will allow them to download an object 42 00:02:08,333 --> 00:02:10,179 if you already know about it. 43 00:02:10,179 --> 00:02:12,873 If you don't, if you want to list the contents of the bucket 44 00:02:12,873 --> 00:02:15,311 that's a completely different permission. 45 00:02:15,311 --> 00:02:17,331 In this case, we don't need them to do that. 46 00:02:17,331 --> 00:02:22,312 All we need is to allow them to download particular objects. 47 00:02:22,312 --> 00:02:24,436 So, I'm gonna choose that one. 48 00:02:24,436 --> 00:02:29,208 I'm going to say that they're allowed to do this 49 00:02:29,208 --> 00:02:33,132 on this particular bucket, not any bucket, but this one. 50 00:02:33,132 --> 00:02:35,600 So, I'm going to say ARN: 51 00:02:35,600 --> 00:02:36,935 AWS 52 00:02:36,935 --> 00:02:37,768 : 53 00:02:37,768 --> 00:02:38,955 S3 54 00:02:38,955 --> 00:02:42,125 I don't need the regions and account numbers 55 00:02:42,125 --> 00:02:43,448 and things like that. 56 00:02:43,448 --> 00:02:44,781 I'm going to say 57 00:02:45,840 --> 00:02:47,280 ::: 58 00:02:47,280 --> 00:02:49,113 the name of the bucket 59 00:02:50,705 --> 00:02:52,288 talentedmrjones.com 60 00:02:53,352 --> 00:02:57,752 and then, it's very important here at the end that we ... 61 00:02:57,752 --> 00:02:59,900 We're not talking about the bucket itself, 62 00:02:59,900 --> 00:03:01,769 but objects in the bucket. 63 00:03:01,769 --> 00:03:06,148 So /* in this case will allow the user 64 00:03:06,148 --> 00:03:08,691 to download objects within the bucket. 65 00:03:08,691 --> 00:03:11,608 So I'm going to add that statement. 66 00:03:12,963 --> 00:03:14,101 You can see here: 67 00:03:14,101 --> 00:03:17,434 We're allowing everyone, anonymous users 68 00:03:18,339 --> 00:03:21,764 the ability to download objects from S3 69 00:03:21,764 --> 00:03:25,734 from anywhere within this particular bucket. 70 00:03:25,734 --> 00:03:28,927 So I'm gonna go ahead and generate that policy. 71 00:03:28,927 --> 00:03:29,927 I'm going to 72 00:03:31,568 --> 00:03:32,943 highlight, 73 00:03:32,943 --> 00:03:34,220 copy 74 00:03:34,220 --> 00:03:36,053 come back over here to 75 00:03:37,527 --> 00:03:38,711 the S3 console. 76 00:03:38,711 --> 00:03:43,645 I'm gonna paste that here and I'm going to click Save. 77 00:03:43,645 --> 00:03:46,211 And you can see the little green check that came up there. 78 00:03:46,211 --> 00:03:48,719 The fact that we got that green check and this went away 79 00:03:48,719 --> 00:03:50,832 means that the policy is valid. 80 00:03:50,832 --> 00:03:53,839 And now you can see that this has changed from 81 00:03:53,839 --> 00:03:57,055 Add A Bucket Policy to Edit Bucket Policy. 82 00:03:57,055 --> 00:04:00,610 And that is how we create and apply 83 00:04:00,610 --> 00:04:02,565 a resource-based policy. 84 00:04:02,565 --> 00:04:05,538 Again, we've done this on an S3 bucket, 85 00:04:05,538 --> 00:04:08,185 but we could have very well have done this on 86 00:04:08,185 --> 00:04:11,807 a simple Queue Service queue, a DynamoDB table 87 00:04:11,807 --> 00:04:14,557 or various other Amazon services.