For a policy to allow access to a bucket and everything inside it, does the 'Any' box next to object need to be checked (or does simply allowing access to a bucket imply access to its contents)?
There are two reasons I ask i) so that the policy has access to the objects inside the bucket, but also ii) to confirm that checking the 'Any' box doesn't give access to objects outside the specified bucket(s) (it could be bad if it did and that wasn't realised) - I assume it probably doesn't but best to be sure.
No, access to a bucket (as indicated by a policy resource like
arn:aws:s3:::mybucket) does not provide any API access to the objects within that bucket. To access the objects, you would need to allow API actions against an object resource likearn:aws:s3:::mybucket/*.The IAM dialog you've shown is a convenience that helps you to create a JSON policy. At any time, you can click the JSON tab to see the equivalent JSON policy.
The dialog has 4 resource types: accesspoint, bucket, job, object. They are independent of one another. Selecting a specific S3 bucket under the 'bucket' section does not have any impact on the 'object' section.
So, if you indicate
mybucketunder bucket andAnyunder object, your policy will contain something like this:Note specifically, that this allows all S3 actions (
s3:*) against both the bucket (arn:aws:s3:::mybucket) and all the objects in all the buckets (arn:aws:s3:::*/*).If you want to allow actions against the
mybucketbucket and against all of the objects inmybucket, then indicatemybucketunder bucket, deselect 'Any' under object, and indicatearn:aws:s3:::mybucket/*under object. Your JSON policy will now look like this: