What it is: A resource-based policy attached to an S3 bucket.

What it’s for:

• Control who can access bucket/object actions.
• Enable cross-account access to a bucket.
• Enforce security requirements (e.g., HTTPS-only, specific IP ranges).

Key ideas:

• Must include Principal (who is allowed/denied).
• Explicit deny overrides allow.
• Can enforce encryption or TLS by conditions.

Exam cues:

• “block public access” → bucket policy + block public access settings.
• “allow another account to read objects” → bucket policy.

Hard words:

• *principal* /ˈprɪnsəpəl/: chủ thể (user/role/account)
• *enforce* /ɪnˈfɔːrs/: bắt buộc áp dụng
• *TLS* /ˌtiː el ˈes/: giao thức bảo mật truyền dữ liệu