AWS S3 bucket policies
- Bucket policies can grant permissions to AWS S3 resources.
Policy Language Overview:
- Policy is a json file
- Refer Here for complete list of resource types in AWS S3 and the actions and also the conditions
- Policy will have the following elements
- Resources: Refer Here
- Actions: Refer Here
- Effect: allow or deny
- Principal: The account or user for whom you want to allow or deny access to resources
- Conditions:
Writing a basic bucket policy
- The policy will have the following structure
{
"Version": "2012-10-17",
"Id": "<any identifier>",
"Statement": [
{
"Sid": "your unique id or name",
"Principal": "* for every one or user arn",
"Action": "s3:<actions at https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-actions-as-permissions>",
"Resources": ["arn of the resource type https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-resources-for-iam-policies"],
//https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-policy-keys
"Conditions": {
"condition": {
"condition-key": "value"
}
}
}
]
}
- Lets write a policy which denies access to s3 bucket from as specific vpc. Below are the id’s specific to my account
- vpc: vpc-e510649d
- Buckets: qts3forlearning
- Note for the other buckets this vpc should have an access
- The sample policy looks like
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": "*",
"Action": "s3:*",
"Effect": "Deny",
"Resource": ["arn:aws:s3:::qts3forlearning"],
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-e510649d"
}
}
},
{
"Principal": "*",
"Action": "s3:*",
"Effect": "Allow",
"Resource": ["arn:aws:s3:::qts3forlearning"]
}
]
}
- Create bucket policy from console
- policy generator can also be used to generate bucket policy
- Save the policy
- Now create an ec2 instance in vpc mentioned and install aws cli
- Now lets change the principal for deny
{
"Id": "Policy1599106533064",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1599106520601",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::qts3forlearning/*",
"Principal": {
"AWS": [
"arn:aws:iam::353635396145:user/test"
]
}
},
{
"Sid": "Stmt1599106531248",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "*",
"Principal": "*"
}
]
}
- Now lets try to work with conditions for resources
{
"Id": "Policy1599107861167",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1599107447365",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::qts3forlearning/*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-e510649d"
}
},
"Principal": "*"
},
{
"Sid": "Stmt1599107859952",
"Action": "s3:*",
"Effect": "Deny",
"Resource": "arn:aws:s3:::qts3forlearning/*",
"Condition": {
"StringEquals": {
"aws:SourceVpc": "vpc-f4574b9c"
}
},
"Principal": "*"
}
]
}
- Allow access for one-vpc and deny access to other vpc
