Confirm IAM Understanding with S3 Bucket Policy and ELB

Mâtt Frëëman

2/14/23, 1:26 PM

I have setup an S3 bucket with the policy suggested per https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html#access-logging-bucket-permissions (with obvious ID substitutions), this works, ALB logs are hitting the S3 bucket.

I then started wondering about the exact policy. It seems this policy is allowing the full ELB (not linked to my account - account id is per region id for ELB) to PutObject to my S3 bucket and prefix defined by the resource.

I would like to confirm my understanding that this is "okay", because it's the ALB/ELB job at creation time to check that either the S3 bucket belongs to account holder or has been setup to allow cross account delegation from the account/role creating the ELB/ALB resources. What happens in the case of cross account delegation if the other account holder removes the permissions for my account, does the ALB/ELB continously check for this and then remove the permission?

182

0 + 0

amazon-web-services

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Confirm IAM Understanding with S3 Bucket Policy and ELB

TH: ยืนยันความเข้าใจ IAM ด้วย S3 Bucket Policy และ ELB

RO: Confirmați înțelegerea IAM cu S3 Bucket Policy și ELB

RU: Подтвердите понимание IAM с помощью S3 Bucket Policy и ELB

VI: Xác nhận hiểu biết về IAM với Chính sách nhóm S3 và ELB

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.