AWS Classroom Series – 03/Sept/2020

AWS S3 bucket policies

  • Bucket policies can grant permissions to AWS S3 resources.

Policy Language Overview:

  • Policy is a json file
  • Refer Here for complete list of resource types in AWS S3 and the actions and also the conditions
  • Policy will have the following elements
    • Resources: Refer Here
    • Actions: Refer Here
    • Effect: allow or deny
    • Principal: The account or user for whom you want to allow or deny access to resources
    • Conditions:

Writing a basic bucket policy

  • The policy will have the following structure
{
    "Version": "2012-10-17",
    "Id": "<any identifier>",
    "Statement": [
        {
            "Sid": "your unique id or name",
            "Principal": "* for every one or user arn",
            "Action": "s3:<actions at https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-actions-as-permissions>",
            "Resources": ["arn of the resource type https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-resources-for-iam-policies"],
            //https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-policy-keys
            "Conditions": {
                "condition": {
                    "condition-key": "value"
                }
            }


        }
    ]
}
  • Lets write a policy which denies access to s3 bucket from as specific vpc. Below are the id’s specific to my account
    • vpc: vpc-e510649d
    • Buckets: qts3forlearning
  • Note for the other buckets this vpc should have an access
  • The sample policy looks like
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": "*",
            "Action": "s3:*",
            "Effect": "Deny",
            "Resource": ["arn:aws:s3:::qts3forlearning"],
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-e510649d"
                }
            }
        },
        {
            "Principal": "*",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": ["arn:aws:s3:::qts3forlearning"]
            
        }
    ]
}
  • Create bucket policy from console Preview
  • policy generator can also be used to generate bucket policy Preview
  • Save the policy Preview
  • Now create an ec2 instance in vpc mentioned and install aws cli
  • Now lets change the principal for deny
{
  "Id": "Policy1599106533064",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1599106520601",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::qts3forlearning/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::353635396145:user/test"
        ]
      }
    },
    {
      "Sid": "Stmt1599106531248",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": "*"
    }
  ]
}
  • Now lets try to work with conditions for resources
{
    "Id": "Policy1599107861167",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1599107447365",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::qts3forlearning/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-e510649d"
                }
            },
            "Principal": "*"
        },
        {
            "Sid": "Stmt1599107859952",
            "Action": "s3:*",
            "Effect": "Deny",
            "Resource": "arn:aws:s3:::qts3forlearning/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-f4574b9c"
                }
            },
            "Principal": "*"
        }
    ]
}
  • Allow access for one-vpc and deny access to other vpc

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin