IAM Policy and S3 Policy

Question

If I have an IAM role that gives access to a bucket, does that bucket ALSO need a bucket policy to specify that the role has access? Can I just have one or the other?

Example:

I have an IAM role that says

    {
        "Action": [
            "s3:Get*",
            "s3:Put*",
            "s3:DeleteObject",
            "s3:List*"
        ],
        "Resource": [
            "arn:aws:s3:::bucketname/*"
        ],
        "Effect": "Allow"
    }

The bucket has a policy attached but it doesn't include anything about the role with the above statement. There are no deny statements in the bucket policy. Should the role be able to access the files?

Answer 1

Here is an interesting article from AWS comparing IAM Policy vs Bucket Policy vs ACL

If you’re more interested in “What can this user do in AWS?” then IAM policies are probably the way to go. You can easily answer this by looking up an IAM user and then examining their IAM policies to see what rights they have.

If you’re more interested in “Who can access this S3 bucket?” then S3 bucket policies will likely suit you better. You can easily answer this by looking up a bucket and examining the bucket policy.

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

Answer 2

Typically, you do not need to provide an S3 bucket policy.

Whenever you make a request to S3, the authorization decision depends on the union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply.

The order of policy evaluation is:

1. Is there an explicit Deny? Result is deny.
2. Is there an explicit Allow? Result is allow.
3. (implicit default) Result is deny.