AWS S3 Bucket Policy for Web Identity Federation | Exam SCS-C01 Answer

Secure Access to Specific Folders in S3 Bucket

Prev Question Next Question

Question

You have an S3 bucket that stores photos.

You also configure the Web Identity Federations (Amazon, Google, and Facebook) to provide temporary credentials to users who can download the photos from the bucket.

Each web identity provider has its own directory in the bucket.

You want to make sure that federated users can only access their specific folder.

Which of the following S3 bucket policy is suitable?

Answers

A. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::BUCKET-NAME/Amazon/*", "arn:aws:s3:::BUCKET-NAME/Google/*", "arn:aws:s3:::BUCKET-NAME/Facebook/*" ] } }

B. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::BUCKET-NAME/${aws:FederatedProvider}/*" } }

C. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "${aws:FederatedProvider}", "Action": "s3:GetObject", "Resource": [ "arn:aws:s3:::BUCKET-NAME/", "arn:aws:s3:::BUCKET-NAME/*" ] } }

D. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::BUCKET-NAME/*", "Condition": { "StringLike": { "aws:PrincipalArn": "${aws:FederatedProvider}" } } } }

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B.

In this scenario, the condition key aws:FederatedProvider should be used.

The key identifies which IdP is used to authenticate the user.

For example, if the user is authenticated through Amazon, the key would contain the value www.amazon.com.

Details can be found in https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#condition-keys-wif.

Option A is incorrect: Because all three directories are listed in the Resource field.

As a result, authenticated users can access all of them.

It does not align with the requirements of the question.

Option B is CORRECT: Because the aws:FederatedProvider key is configured as a policy variable in the resource ARN.

Each folder is only available to users authenticated by the related IdP.

Option C is incorrect: Because the Resource field does not differentiate the IdP providers so authenticated users can access all three folders.

Option D is incorrect: Because the condition key should be put in the Resource field which enables users to have the permissions on their folder.

The correct S3 bucket policy for the given scenario is option C.

Explanation:

The scenario involves allowing federated users to access their specific directory in the S3 bucket, while preventing them from accessing other directories. Federated users are authenticated by Amazon, Google, or Facebook, and are provided with temporary credentials to access the S3 bucket.

Option A grants access to all federated users to all directories in the S3 bucket. This policy does not meet the requirement of allowing access only to specific directories.

Option B uses the ${aws:FederatedProvider} variable to allow access to objects in the federated user's directory. However, the policy does not restrict access to only the user's directory. Therefore, this policy does not meet the requirement.

Option D allows access to all objects in the S3 bucket, but uses a condition to restrict access to objects that match the federated user's provider. However, this policy does not restrict access to only the user's directory.

Option C is the correct policy because it allows access to only the federated user's directory. The policy uses the ${aws:FederatedProvider} variable to specify the principal and restricts access to the S3 bucket and the user's directory only. This policy meets the requirement of allowing access only to specific directories.

Therefore, the correct answer is option C.

Prev Question Next Question