AWS SysOps SOA-C02 Exam Prep: S3 Access Control (ACLs, Bucket Policies, IAM Policies)
Why Access Control Matters in Amazon S3
Amazon S3 stores sensitive data β so controlling who can access what is critical. AWS offers three main access control mechanisms you need to know for the SysOps exam:
- Bucket Policies
- IAM Policies
- Access Control Lists (ACLs)
Each method serves different purposes, with different levels of granularity and scope.
Bucket Policies
Bucket Policies are JSON documents attached to an S3 bucket that define what actions are allowed or denied for which users, services, or accounts.
- Applied at the bucket level
- Supports resource-based permissions
- Often used for public access, cross-account access, or service-specific permissions
Example: Allow public read access to a bucket
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Pros:
- Centralized, easy to manage
- Can grant cross-account access
- Resource-based (attached to the bucket)
Common exam use case:
Make a bucket public Grant another AWS account access to a bucket
IAM Policies
IAM Policies are attached to IAM users, groups, or roles. They define what actions a principal (user, group, or role) can perform on which AWS resources.
- Applied at the identity level
- Cannot make a bucket public (only allows authenticated users in your account)
Example: Grant full access to a bucket for a specific IAM role
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
Pros:
- Managed centrally in IAM
- Can be attached to roles, users, and groups
- Great for internal access control within your account
Common exam use case: Allow an EC2 instance (using an IAM role) to upload files to S3
Access Control Lists (ACLs)
S3 ACLs are the legacy access control method.
- Applied to individual objects and buckets
- Defines permissions for specific AWS accounts, groups, or the public
- Limited to READ, WRITE, READ_ACP, WRITE_ACP actions
Example: Grant public read access to a specific object
aws s3api put-object-acl --bucket my-bucket --key myfile.txt --acl public-read
Pros:
- Simple, good for object-level control
- Useful for legacy apps
Cons:
- Limited flexibility
- AWS recommends using policies over ACLs
Common exam use case: Temporarily grant public read access to a specific object Share a file with another AWS account
Comparison: Bucket Policies vs IAM Policies vs ACLs
| Feature | Bucket Policy | IAM Policy | ACL |
|---|---|---|---|
| Applied To | Buckets | IAM users, groups, roles | Buckets & Objects |
| Controls | Who can access the bucket & what actions | What actions IAM users/roles/groups can perform | Who can access objects/buckets |
| Public Access | Yes |  No | Yes |
| Cross-account Access | Yes | No | Yes |
| Granularity | Bucket-level | User-level | Object-level |
| Best Practice | Recommended | Recommended | Legacy, limited use |
Common SOA-C02 Exam Scenarios
Scenario 1:
Make a bucket public
β Use a Bucket Policy
Scenario 2:
Allow an EC2 instance to upload to an S3 bucket
β Use an IAM Role with an IAM Policy
Scenario 3:
Allow a different AWS account to write to a bucket
β Use a Bucket Policy with cross-account permissions
Scenario 4:
Temporarily grant public read access to a specific file
β Use an Object ACL
S3 Block Public Access (Important!)
Even if Bucket Policies or ACLs allow public access, Block Public Access settings can override them to prevent accidental exposure.
- Can be set at account or bucket level
- Recommended to leave Block Public Access ON by default and only selectively disable
Exam Tip: If public access isnβt working, check Block Public Access settings
Summary
| Feature | Description |
|---|---|
| Bucket Policy | Resource-based access control at bucket level |
| IAM Policy | Identity-based access control for IAM users, groups, roles |
| ACL | Legacy object/bucket-level access permissions |
| Block Public Access | Global/public access override setting |
Best Practice: Use IAM Policies + Bucket Policies for access management Avoid ACLs where possible Always configure Block Public Access appropriately
Iβm a software engineer based in Japan, with experience in developing web and mobile applications. Iβm passionate about technology, especially in DevOps, AI, and app development using platforms like AWS, Flutter, and Node.js. My goal is to build a website that shares knowledge about the Japanese language and IT, helping everyone learn and grow more easily in the digital era.
AWS SysOps SOA-C02 Exam Prep: S3 Object Lock & Versioning