Thanks so much ro pro! Hope this video helps!

You're very welcome Michael!

You're very welcome!

You're very welcome Lina!

Glad it was helpful!

Hi BR, here you go: docs.aws.amazon.com/IAM/latest/UserGuide/images/PolicyEvaluationHorizontal111621.png

@@BeABetterDev Thanks, I bookmarked it :) That is quite complex, no wonder why IAM is a beast.

Yes bucket policies or any other resource based policy attached directly to resource will override the permissions given by iam

For example you're given permission to putobject in s3 with Iam but if bucket policy denies it you won't be able to put object

@@Vibration.Nation Thank you for the reply and the example I really appreciate you taking the time to help me

No, access to the bucket and access to the data ("objects") in the bucket are considered two different things. You might hear these concepts described as "management plane access'" and "data plane access". If you only have access to the bucket, you have access to change settings and attributes on the bucket, but not the data inside it. So you could, for example, change the lifecycle policy on the bucket or the default encryption, but not download objects from the bucket. This distinction helps create user access schemes that properly divide roles and responsibilities. Your local cloud infrastructure team may manage the attributes of the bucket to ensure compliance, but not have access to the data which may be sensitive customer data for example. Conversely, your data scientists may need access to that sensitive customer data for legitimate reasons, but you don't want them screwing with the bucket settings. In his example, yes, he gave permission to both the bucket and bucket objects. This effectively grants true "full access" to the bucket in all facets, including the objects. In a real scenario, this is common for dev/test and environments that don't require the division of permissions.

@@CptSupermrkt Thanks. I'm getting ready to take the AWS developer assoc. exam; any pointers? I purchased some courses on Udemy. I'm not quite sure if they're good prep.

@@renejacques8288 I passed all Associates and DevOps Pro using essentially just practice exams. Everyone's learning style is different, but for me, watching courses doesn't work. What I would do is, take a practice exam, then grade my answers in one of three ways: 1) Correct - I got it right, and I actually knew the concepts. 2) Correct - I got it right, but it was either a lucky guess or a 50/50 guess 3) Incorrect For questions that were #2 and #3, then I would deep dive into those particular things, usually by using my personal AWS account to act out the problem myself. I just did like 5 questions a day like this, not much, but consistent: before you know it, you'll have filled in your gaps, and ready for the exam.

This is really great advice. Thanks for sharing with the viewers.

@@CptSupermrkt Really well explained with context.

Haha you caught me!

As long as the user iam role is allowed to make s3 calls, the s3 bucket policy will allow the user in

NO