1 00:00:06,926 --> 00:00:11,120 - Now let's review bucket security with resource policies. 2 00:00:11,120 --> 00:00:14,653 We've talked about this before, resource based policies. 3 00:00:14,653 --> 00:00:17,928 They are essentially the same as policies that 4 00:00:17,928 --> 00:00:21,511 we would apply to our IAM users and groups. 5 00:00:22,626 --> 00:00:25,303 But they are applied at the resource level. 6 00:00:25,303 --> 00:00:27,146 In this particular example, what we're gonna 7 00:00:27,146 --> 00:00:28,904 look at is the policy that's applied 8 00:00:28,904 --> 00:00:32,571 to the Amazon simple Storage Service Bucket. 9 00:00:33,542 --> 00:00:36,379 We could also apply resource based policies to other 10 00:00:36,379 --> 00:00:40,546 services like Simple Queue Service, DynamoDB and others. 11 00:00:42,020 --> 00:00:45,456 One of the key differences that sets resource policies 12 00:00:45,456 --> 00:00:48,660 apart, aside from being applied at the resource level, 13 00:00:48,660 --> 00:00:51,711 is that we will specify what we call a principal. 14 00:00:51,711 --> 00:00:55,339 And that is who is allowed to perform these particular 15 00:00:55,339 --> 00:00:59,923 actions or who is being denied these particular actions. 16 00:00:59,923 --> 00:01:02,212 But we could allow another account. 17 00:01:02,212 --> 00:01:03,887 So we could leverage that to give 18 00:01:03,887 --> 00:01:06,072 cross account resource sharing. 19 00:01:06,072 --> 00:01:09,610 We could point the principal to a particular IAM user or 20 00:01:09,610 --> 00:01:11,156 group or role, we could give 21 00:01:11,156 --> 00:01:14,766 permissions to another Amazon service. 22 00:01:14,766 --> 00:01:18,184 Or as we're going to see in this following example, 23 00:01:18,184 --> 00:01:21,919 we could give permissions to anonymous users. 24 00:01:21,919 --> 00:01:25,189 Anyone outside of Amazon, anyone in the world. 25 00:01:25,189 --> 00:01:28,478 So now let's take a look at an example. 26 00:01:28,478 --> 00:01:31,569 Here's an example policy that we would apply 27 00:01:31,569 --> 00:01:35,691 directly to an S3 Bucket, so one of the first 28 00:01:35,691 --> 00:01:38,105 things that we need is the version. 29 00:01:38,105 --> 00:01:41,030 It's not symantic versioning, it's a date based 30 00:01:41,030 --> 00:01:43,393 versioning that and we can find this particular 31 00:01:43,393 --> 00:01:45,810 value in the Amazon documentation. 32 00:01:45,810 --> 00:01:47,531 So here, again, we need to specify whether 33 00:01:47,531 --> 00:01:50,671 we are allowing or denying, in this case we're 34 00:01:50,671 --> 00:01:55,188 going to allow anyone, that is anyone in the world, 35 00:01:55,188 --> 00:01:58,511 regardless of whether they have an Amazon account or not, 36 00:01:58,511 --> 00:02:02,678 to essentially download using the S3 get object action, 37 00:02:05,840 --> 00:02:08,956 any object in this particular bucket. 38 00:02:08,956 --> 00:02:11,269 You'll notice that the slash star means 39 00:02:11,269 --> 00:02:14,248 any object in the bucket, and we could have other 40 00:02:14,248 --> 00:02:19,075 types of permissions that would apply to the bucket itself. 41 00:02:19,075 --> 00:02:21,865 And so here's another example of a policy we might 42 00:02:21,865 --> 00:02:26,370 apply to a bucket that would grant cross account access. 43 00:02:26,370 --> 00:02:30,486 So, what we're doing here, if you'll notice, instead of 44 00:02:30,486 --> 00:02:34,653 specifying a star or a wildcard for the principal. 45 00:02:35,585 --> 00:02:38,020 Which would in the previous example, granted 46 00:02:38,020 --> 00:02:42,486 access to anyone and everyone, all over the world, 47 00:02:42,486 --> 00:02:44,597 regardless of whether or not you had an account. 48 00:02:44,597 --> 00:02:48,030 This one here was saying the principal is going 49 00:02:48,030 --> 00:02:51,143 to be some member of AWS, in this case, 50 00:02:51,143 --> 00:02:54,127 we're pointed to an Amazon resource name, 51 00:02:54,127 --> 00:02:57,894 that includes the account number of some other 52 00:02:57,894 --> 00:03:01,408 account that we want to share access with this bucket. 53 00:03:01,408 --> 00:03:04,771 And notice here, so that's gonna be the account number. 54 00:03:04,771 --> 00:03:07,727 And then root is essentially, we're saying that 55 00:03:07,727 --> 00:03:11,177 that entire account, or the root user of that account 56 00:03:11,177 --> 00:03:14,043 is allowed these kinds of permissions. 57 00:03:14,043 --> 00:03:16,656 And from there, that root user can then 58 00:03:16,656 --> 00:03:19,580 delegate these permissions to other members of 59 00:03:19,580 --> 00:03:23,053 that organization, to other IAM users. 60 00:03:23,053 --> 00:03:25,346 Now this could be an account that we own, 61 00:03:25,346 --> 00:03:28,199 another one of our accounts like development versus 62 00:03:28,199 --> 00:03:29,983 production environment accounts. 63 00:03:29,983 --> 00:03:32,393 It could be a customer's account or 64 00:03:32,393 --> 00:03:34,794 a vendor's account, some third party. 65 00:03:34,794 --> 00:03:36,090 It doesn't really matter, the point is is that 66 00:03:36,090 --> 00:03:40,257 by specifying the principal as an IAM arn using the account 67 00:03:42,563 --> 00:03:47,298 number and root is how we share a bucket across accounts. 68 00:03:47,298 --> 00:03:50,276 In this example, we are going to give that other 69 00:03:50,276 --> 00:03:54,443 account the ability to list the objects within the bucket. 70 00:03:55,911 --> 00:03:58,982 And so here that particular action would actually 71 00:03:58,982 --> 00:04:02,649 apply to this resource, the bucket resource. 72 00:04:03,821 --> 00:04:06,524 And then the put object and get object actions 73 00:04:06,524 --> 00:04:10,691 would apply really to the objects within the bucket. 74 00:04:11,873 --> 00:04:14,760 So you'll see here that this is an important distinction 75 00:04:14,760 --> 00:04:18,503 between these two resources in the case of S3, being able to 76 00:04:18,503 --> 00:04:21,604 separate the bucket from objects in the bucket. 77 00:04:21,604 --> 00:04:24,586 And it's just a very minor difference in syntax 78 00:04:24,586 --> 00:04:29,024 between the slash star there at the last one. 79 00:04:29,024 --> 00:04:33,312 So that is Resource Based Policies being applied 80 00:04:33,312 --> 00:04:36,645 to an S3 bucket in Amazon Web Services.