Scoping Permission

A critical rule of thumb in cyber security is the principle of least privilege: You should allow the fewest permissions possible that can still get the job done.

For example, your user is in the "manager" group which we gave "full admin access" to. Especially at smaller companies, it's common for folks to have more permissions than they truly need, usually for the sake of speed and convenience.

But that's not the most secure way to do things.

Let's Pretend

Let's just pretend that you are the engineering manager, that Tubely is a small company, and so it does make sense for your IAM user to have full admin access.

Fine.

But that doesn't mean we can't still scope down the permissions of the application itself.

Assignment

Create a new policy in the IAM center named tubely-s3
Set permissions to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
        "s3:PutObject",
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:ListBucket"
      ],
      "Resource": ["arn:aws:s3:::tubely-123456", "arn:aws:s3:::tubely-123456/*"]
    }
  ]
}

Replace tubely-123456 with your bucket name. You can get the Amazon Resource Name (ARN) of your bucket in the S3 console.

Confirm it exists with the AWS CLI.

aws iam list-policies --scope Local --no-cli-pager

If --no-cli-pager doesn't work, it means you need to migrate to version 2 of the AWS CLI.

Run and submit the CLI tests.