====== Bucket Policy ======

**What it is:** A resource-based policy attached to an S3 bucket.

**What it’s for:**
  * Control who can access bucket/object actions.
  * Enable cross-account access to a bucket.
  * Enforce security requirements (e.g., HTTPS-only, specific IP ranges).

**Key ideas:**
  * Must include **Principal** (who is allowed/denied).
  * Explicit deny overrides allow.
  * Can enforce encryption or TLS by conditions.

**Exam cues:**
  * “block public access” → bucket policy + block public access settings.
  * “allow another account to read objects” → bucket policy.

**Hard words:**
  * *principal* /ˈprɪnsəpəl/: chủ thể (user/role/account)
  * *enforce* /ɪnˈfɔːrs/: bắt buộc áp dụng
  * *TLS* /ˌtiː el ˈes/: giao thức bảo mật truyền dữ liệu