Identity-base polices, as the name suggests, are policies that can be attached to identities (users, groups, or roles). In the scenario for this lab there is an s3 bucket named lab016-bucket that needs to be shared among two users: Lukas and Anita. User Anita should not have access to the confidential folder.
Repeat steps 1 and 2 of lab-013, changing the name of the bucket to lab016-bucket. The bucket's ARN (Amazon Resource Name) should be: arn:aws:s3:::lab016-bucket. Create a folder called confidential and upload the following files using the console:
- file1.txt (uploaded to the confidential folder),
- file2.txt (uploaded to the confidential folder), and
- file3.txt.
To create a policy go to IAM - Policies - Create policy.
If an identify has this policy it will have full access to the lab016-bucket s3 bucket. To create this policy you can use the AWS Policy Generator tool or just copy the Lab016BucketAllowAccess file.
If an identify has this policy it will be denied access to folder confidential lab016-bucket s3 bucket. To create this policy you can use the AWS Policy Generator tool or just copy the Lab016BucketAllowAccess file.
To create a user go to IAM - Users - Add user.
Note that only the Lab016BucketAllowAccess policy is attached to user Lukas. Also, make sure to download the credentials for each user and configure an AWS CLI named profile.
Note that both policies, Lab016BucketAllowAccess and Lab016BucketConfidentialFolderDenyAccess, are attached to user Anita.
No comments:
Post a Comment