Back to Course

Introduction to AWS Security

0% Complete
0/0 Steps
  1. Introduction

    About the course and authors
  2. AWS cloud architecture
  3. Security concerns with our architecture
  4. Regions and Availability Zones (AZs)
  5. Shared responsibility in the cloud
  6. [Cheat Sheet] AWS Security Services
  7. [LAB] Create a billing alert to avoid surprise bills
  8. Infrastructure Security
    VPC networks
  9. Default VPCs
  10. [DEMO] Creating VPCs and Subnets
  11. How many VPCs should you use?
  12. [DEMO] Subnet, Route Table, and Gateway Configurations
  13. [LAB] [Challenge] Create a VPC with public and private subnets
  14. [LAB] Launching an EC2 instance
  15. [DEMO] Security Groups (SGs)
  16. Security Groups Best Practices
  17. [DEMO] Network Access Control Lists (NACLs)
  18. [Cheat Sheet] SGs vs. NACLs
  19. [LAB] [Challenge] Configure security groups and NACLs to specific requirements
  20. Elastic Load Balancers
  21. [DEMO] AWS WAF
  22. [LAB] [Challenge] Deploy AWS WAF ACL for Application Load Balancer
  23. [DEMO] AWS Network Firewall - Part 1
  24. [DEMO] AWS Network Firewall - Part 2
  25. AWS Shield for DDoS Protection
  26. AWS Firewall Manager
  27. Identity and Access Management (IAM)
    Key Concepts of IAM in AWS
  28. [DEMO] Getting started with IAM in AWS
  29. [DEMO] Creating our first admin user
  30. Assigning permissions with policies
  31. [Cheat Sheet] Anatomy of an AWS IAM Policy
  32. [DEMO] Using Identity Center AWS SSO
  33. IAM Roles
  34. [DEMO] Creating a role for EC2 instances to access S3 buckets
  35. End-User Management with Amazon Cognito
  36. Data Protection
    Data protection in the cloud
  37. EBS Data Protection and Encryption
  38. Amazon RDS Data Protection and Encryption
  39. Key Management with AWS KMS
  40. [Cheat Sheet] Getting Started with AWS KMS
  41. [DEMO] Creating a Symmetric Encryption KMS Key
  42. [Cheat Sheet] Encrypt and Decrypt Data with KMS and Data Keys
  43. [LAB] Encrypt and Decrypt Data with KMS and Data Keys
  44. Amazon S3 Bucket Protection
    Understanding Bucket Ownership
  45. [LAB] Creating Buckets and Uploading Objects in S3
  46. Managing Access to Buckets
  47. [Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies
  48. [LAB] [Challenge] Create an IAM role for secure access to S3 based on a scenario
  49. Using Signed URLs
  50. Encrypting S3 Data
  51. [DEMO] Enable S3 Object Versioning
  52. [Cheat Sheet] Amazon S3 Protection Summary
  53. [Cheat Sheet] Create a least privilege S3 bucket policy
  54. Logging, Monitoring, and Incident Response
    AWS Log Types and Auditing Options
  55. [DEMO] Enable S3 Server Access Logs
  56. AWS CloudTrail
  57. Amazon CloudWatch
  58. [DEMO] CloudTrail Security Automation with CloudWatch Logs and SNS
  59. [DEMO] Amazon VPC Flow Logs
  60. Proper Logging and Monitoring
  61. Amazon GuardDuty
  62. [LAB] [DEMO] Enable Threat Detection with GuardDuty
  63. [DEMO] Amazon EventBridge
  64. AWS Config
  65. AWS Systems Manager
  66. [LAB] Secure EC2 Access with SSM Session Manager and KMS
  67. [DEMO] AWS Config Automated Remediation with SSM
  68. Amazon Detective
  69. [LAB] [DEMO] Amazon Inspector
  70. [DEMO] Amazon Macie
  71. [DEMO] AWS Security Hub
  72. [DEMO] Must-have AWS monitoring and alerting with SSK
  73. Multi-Account Security
    [DEMO] AWS Organizations
  74. [DEMO] AWS SCPs and Management Policies
  75. AWS Control Tower
  76. Wrap-up and Key Takeaways
    What now?
Lesson 47 of 76
In Progress

[Cheat Sheet] S3 Bucket Policies vs. ACLs vs. IAM Policies

Christophe June 26, 2023
S3 Bucket PoliciesS3 ACLsIAM Policies
ScopeApplied to an S3 bucket to control bucket access, but can also control specific object permissionsApplied to buckets or to an individual object. Older access control method that’s no longer recommended to use if it can be avoidedApplied to IAM users, groups, and roles across the AWS account
SyntaxJSON-based policiesXML-based policies written in a specific formatJSON-based policies
FlexibilityProvide granular control with powerful conditions and fine-grained permissionsProvide basic access control but have fewer options for advanced permissionsProvide centralized access management for various AWS services, not just S3
PermissionsCan define access controls for both bucket-level and object-level operationsCan define access controls for individual objects and bucket-level operations, such as READ, WRITE, READ_ACP, WRITE_ACP, and FULL_CONTROLCan define access controls for various AWS services, including S3, at a fine-grained level
Principal-BasedIdentify the principal (role, user, group, or AWS account) and define their access permissionsIdentify the user or group and define their access permissionsDefine permissions for IAM users, groups, and roles by attaching policies to them
IAM IntegrationCan reference IAM users, groups, and roles in policies to grant additional permissions or restrict accessCan use canonical user IDs to grant permissions to an AWS account (or even email addresses but they get converted to canonical user IDs), or can use a URI to grant permissions to a predefined groupCreate and manage IAM policies separately from S3 bucket policies. IAM policies can be attached to IAM entities for S3 access control
ExamplesGrant read access to all objects in a bucket to a specific IAM roleGrant write access to a specific object to an external AWS account userGrant full access to an S3 bucket to an IAM group, while restricting delete permissions for specific IAM users

Or download it:

Amazon S3 Cheat Sheet


Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.