🔐 AWS SysOps SOA-C02 Exam Prep: S3 Access Control (ACLs, Bucket Policies, IAM Policies)

📌 Why Access Control Matters in Amazon S3

Amazon S3 stores sensitive data — so controlling who can access what is critical. AWS offers three main access control mechanisms you need to know for the SysOps exam:

1. Bucket Policies
2. IAM Policies
3. Access Control Lists (ACLs)

Each method serves different purposes, with different levels of granularity and scope.

📖 1️⃣ Bucket Policies

Bucket Policies are JSON documents attached to an S3 bucket that define what actions are allowed or denied for which users, services, or accounts.

• Applied at the bucket level
• Supports resource-based permissions
• Often used for public access, cross-account access, or service-specific permissions

Example: Allow public read access to a bucket

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PublicRead",
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Pros:

• Centralized, easy to manage
• Can grant cross-account access
• Resource-based (attached to the bucket)

Common exam use case:
✅ Make a bucket public
✅ Grant another AWS account access to a bucket

📖 2️⃣ IAM Policies

IAM Policies are attached to IAM users, groups, or roles. They define what actions a principal (user, group, or role) can perform on which AWS resources.

• Applied at the identity level
• Cannot make a bucket public (only allows authenticated users in your account)

Example: Grant full access to a bucket for a specific IAM role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ]
    }
  ]
}

Pros:

• Managed centrally in IAM
• Can be attached to roles, users, and groups
• Great for internal access control within your account

Common exam use case:
✅ Allow an EC2 instance (using an IAM role) to upload files to S3

📖 3️⃣ Access Control Lists (ACLs)

S3 ACLs are the legacy access control method.

• Applied to individual objects and buckets
• Defines permissions for specific AWS accounts, groups, or the public
• Limited to READ, WRITE, READ_ACP, WRITE_ACP actions

Example: Grant public read access to a specific object

aws s3api put-object-acl --bucket my-bucket --key myfile.txt --acl public-read

Pros:

• Simple, good for object-level control
• Useful for legacy apps

Cons:

• Limited flexibility
• AWS recommends using policies over ACLs

Common exam use case:
✅ Temporarily grant public read access to a specific object
✅ Share a file with another AWS account

📊 Comparison: Bucket Policies vs IAM Policies vs ACLs

✅ Common SOA-C02 Exam Scenarios

📝 Scenario 1:
Make a bucket public
→ Use a Bucket Policy

📝 Scenario 2:
Allow an EC2 instance to upload to an S3 bucket
→ Use an IAM Role with an IAM Policy

📝 Scenario 3:
Allow a different AWS account to write to a bucket
→ Use a Bucket Policy with cross-account permissions

📝 Scenario 4:
Temporarily grant public read access to a specific file
→ Use an Object ACL

📘 S3 Block Public Access (Important!)

Even if Bucket Policies or ACLs allow public access, Block Public Access settings can override them to prevent accidental exposure.

• Can be set at account or bucket level
• Recommended to leave Block Public Access ON by default and only selectively disable

Exam Tip:
✅ If public access isn’t working, check Block Public Access settings

✅ Summary

Best Practice:
✅ Use IAM Policies + Bucket Policies for access management
❌ Avoid ACLs where possible
✅ Always configure Block Public Access appropriately