cloudboxio Technologies Logo
CloudBoxio Icon Technologies Logo
Learn Practice Login Get Pro

Core Implementation — Human Operator Permissions

Designing and Attaching the Auditor Policy

The audit team’s documented requirement is: read the contents of the source bucket, nothing else. Translating that into IAM requires two actions: s3:ListBucket (to see what objects exist) and s3:GetObject (to download them). These are distinct because s3:ListBucket applies at the bucket ARN level while s3:GetObject applies at the object ARN level. Getting this wrong is a common mistake — applying s3:GetObject to the bucket ARN will silently fail.

Create a customer managed policy named DocumentAuditorS3ReadOnly with the following document. Read each statement before applying it.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowSourceBucketListing",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::cloudboxio-lab-source-{your-account-id}"
    },
    {
      "Sid": "AllowSourceObjectRead",
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::cloudboxio-lab-source-{your-account-id}/*"
    }
  ]
}

Notice what this policy does not include: it does not grant access to the output bucket, it does not grant s3:PutObject, s3:DeleteObject, or s3:*, and it does not use a wildcard resource. Each of these omissions is intentional and auditable.

Attach this policy to the document-auditors group, not to the user directly.

Validation

Log in as audit-user-01. Navigate to S3. You should now be able to see the source bucket in the list and browse its contents. Attempt to navigate to the output bucket — you should receive an access denied error. Attempt to delete one of the test files in the source bucket — this should also fail.

The precise failure message for an action blocked by IAM is: User: arn:aws:iam::{account-id}:user/audit-user-01 is not authorized to perform: s3:DeleteObject on resource.... If you see this, your policy is working correctly.

IAM Policy Simulator Validation

Before trusting console testing alone, open the IAM Policy Simulator (available under IAM > Tools > Policy Simulator). Select audit-user-01 as the principal, select S3 as the service, and test the following actions against both bucket ARNs:

  • s3:ListBucket on the source bucket ARN — expected: allowed
  • s3:GetObject on source-bucket/* — expected: allowed
  • s3:PutObject on source-bucket/* — expected: denied
  • s3:GetObject on output-bucket/* — expected: denied

The simulator will show you the exact policy evaluation result and which statement produced it. This is how you validate permissions before users reach production.

Policy simulator results showing allowed and denied actions

Policy Design Check

Question 1 of 1

0/1

Why does s3:ListBucket use the bucket ARN while s3:GetObject uses the bucket ARN with /* appended?

In this section, I confirmed:

0 of 6 completed
Previous Next

Choose your language

Select your preferred language for the site