Environment & Base Setup

Creating the Foundational Resources

You need two S3 buckets and the scaffolding of your IAM structure before writing policies. The bucket naming and IAM structure decisions here are not arbitrary.

S3 Buckets

Create two S3 buckets in your account:

• cloudboxio-lab-source-{your-account-id} — the input bucket containing documents to be read
• cloudboxio-lab-output-{your-account-id} — the output bucket where processed results are written

Appending your account ID to the bucket name is a practical convention that avoids global naming collisions and makes cross-account policies easier to reason about. In a real environment, you would use a naming scheme tied to your organisation and environment (e.g. acme-prod-documents-source-123456789012).

For both buckets: leave Block Public Access enabled on all four settings. You are not building a public website. Any configuration that allows public access to these buckets is a misconfiguration in this context.

Do not enable versioning or server-side encryption yet — those are real production concerns but outside this lab’s scope.

Upload at least two test files to the source bucket. These will be used later to verify read permissions work correctly. A simple text file is sufficient.

IAM Structure Scaffold

In the IAM console, create the following before attaching any policies:

1. A group named document-auditors
2. A user named audit-user-01 — enable console access, auto-generate a password, and require a password reset on first login. This simulates onboarding a real operator.
3. Add audit-user-01 to the document-auditors group.

Do not create any policies yet. At this point, audit-user-01 has zero permissions. If you log in as this user, every AWS console page will return access denied errors. This is the correct baseline — deny by default is the foundation of AWS IAM.

After completing setup, log in as audit-user-01 in a separate browser or incognito window and attempt to navigate to S3. You should see an access denied banner. This confirms that the deny-by-default posture is active and your user has no ambient permissions.

In this section, I confirmed:

0 of 6 completed

Source bucket created with block public access enabledOutput bucket created with block public access enabledTest files uploaded to the source bucketGroup document-auditors createdUser audit-user-01 created and added to the groupLogging in as audit-user-01 results in access denied on S3