AWS Classroom Series – 03/Sept/2020

AWS S3 bucket policies

• Bucket policies can grant permissions to AWS S3 resources.

Policy Language Overview:

• Policy is a json file
• Refer Here for complete list of resource types in AWS S3 and the actions and also the conditions
• Policy will have the following elements
  • Resources: Refer Here
  • Actions: Refer Here
  • Effect: allow or deny
  • Principal: The account or user for whom you want to allow or deny access to resources
  • Conditions:

Writing a basic bucket policy

• The policy will have the following structure

{
    "Version": "2012-10-17",
    "Id": "<any identifier>",
    "Statement": [
        {
            "Sid": "your unique id or name",
            "Principal": "* for every one or user arn",
            "Action": "s3:<actions at https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-actions-as-permissions>",
            "Resources": ["arn of the resource type https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-resources-for-iam-policies"],
            //https://docs.aws.amazon.com/AmazonS3/latest/dev/list_amazons3.html#amazons3-policy-keys
            "Conditions": {
                "condition": {
                    "condition-key": "value"
                }
            }


        }
    ]
}

• Lets write a policy which denies access to s3 bucket from as specific vpc. Below are the id’s specific to my account
  • vpc: vpc-e510649d
  • Buckets: qts3forlearning
• Note for the other buckets this vpc should have an access
• The sample policy looks like

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Principal": "*",
            "Action": "s3:*",
            "Effect": "Deny",
            "Resource": ["arn:aws:s3:::qts3forlearning"],
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-e510649d"
                }
            }
        },
        {
            "Principal": "*",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": ["arn:aws:s3:::qts3forlearning"]
            
        }
    ]
}

• Create bucket policy from console
• policy generator can also be used to generate bucket policy
• Save the policy
• Now create an ec2 instance in vpc mentioned and install aws cli
• Now lets change the principal for deny

{
  "Id": "Policy1599106533064",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1599106520601",
      "Action": "s3:*",
      "Effect": "Deny",
      "Resource": "arn:aws:s3:::qts3forlearning/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::353635396145:user/test"
        ]
      }
    },
    {
      "Sid": "Stmt1599106531248",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": "*"
    }
  ]
}

• Now lets try to work with conditions for resources

{
    "Id": "Policy1599107861167",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1599107447365",
            "Action": "s3:*",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::qts3forlearning/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-e510649d"
                }
            },
            "Principal": "*"
        },
        {
            "Sid": "Stmt1599107859952",
            "Action": "s3:*",
            "Effect": "Deny",
            "Resource": "arn:aws:s3:::qts3forlearning/*",
            "Condition": {
                "StringEquals": {
                    "aws:SourceVpc": "vpc-f4574b9c"
                }
            },
            "Principal": "*"
        }
    ]
}

• Allow access for one-vpc and deny access to other vpc