An IAM user is trying to perform an action on an object belonging to some other root account's bucket. Which of the below mentioned options will AWS S3 not verify?
A.
The object owner has provided access to the IAM user
B.
Permission provided by the parent of the IAM user on the bucket
C.
Permission provided by the bucket owner to the IAM user
D.
Permission provided by the parent of the IAM user
Suggested Answer:B🗳️
If the IAM user is trying to perform some action on the object belonging to another AWS user's bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner. Reference: http://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html
If D is the complete text it should be the answer. S3 will evaluate the policy attached by the parent of the account where the user belong to, which B.
B. as per AWS documentation.
User context – If the requester is an IAM principal, the principal must have permission from the parent AWS account to which it belongs. In this step, Amazon S3 evaluates a subset of policies owned by the parent account (also referred as the context authority). This subset of policies includes the user policy that the parent attaches to the principal.
Sure, I can add that information. Here is the updated answer:
Answer:
The answer is B.
Explanation:
AWS S3 will verify the following permissions when an IAM user tries to perform an action on an object belonging to some other root account's bucket:
Permission provided by the bucket owner to the IAM user.
The object owner has provided access to the IAM user.
Permission provided by the parent of the IAM user on the bucket (also referred as the context authority). This subset of policies includes the user policy that the parent attaches to the principal.
This is because the parent of an IAM user does not have any direct permissions on the bucket. The parent can only grant permissions to the IAM user, which the IAM user can then use to access the bucket.
S3 will check all of them EXCEPT B, it will NOT check it
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-auth-workflow-bucket-operation.html
Example 4: Bucket operation requested by an IAM principal whose parent AWS account is not the bucket owne
It's D.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-auth-workflow-bucket-operation.html
Example 4: Bucket operation requested by an IAM principal whose parent AWS account is not the bucket owner
Just want to reiterate what @MIU mentioned. Obviously, the question is to ask which access scenario that S3 will not verify the permission. Therefore, when we dig into the document...
https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-auth-workflow-object-operation.html
We could know the answer D meets its 1111-1111-1111 scenario, the answer C meets its 2222-2222-2222 scenario, and the answer A meets its 3333-3333-3333 scenario.
My opinion is, it should be D,
if you look at step 2.3 of https://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
The Cross Account (B) need to give its IAM user the permission to access the said Bucket In Account A
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Gorha
Highly Voted 3 years, 9 months agoFERIN_01
Highly Voted 3 years, 7 months agoamministrazione
Most Recent 10 months, 2 weeks agoSkyZeroZx
2 years agomnsait
7 months, 2 weeks agoSkyZeroZx
2 years agoROMEO1978
2 years, 3 months agoYecine11y
3 years, 5 months agocldy
3 years, 6 months agoRudrajit
3 years, 7 months ago01037
3 years, 7 months agoTerrenceC
3 years, 8 months agoMIU
3 years, 8 months agoGanfeng
3 years, 8 months agokhksoma
3 years, 8 months agomanoj101
3 years, 9 months agoVrushaliD
3 years, 9 months ago