AWS Classroom Series – 25/Dec/2020

AWS S3 Bucket Policy

  • AWS S3 Bucket Policy is written in JSON Format Refer Here
  • Example bucket policy
{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/Dave"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::awsexamplebucket1/*",
                "arn:aws:s3:::awsexamplebucket1"
            ]
        }
    ]
}
  • Policy Language Elements
    • Resources: Buckets, objects, access points & jobs Refer Here
    • Action: For each Resource AWS s3 supports set of operations Refer Here
    • Effect: Allow or deny
    • Prinicipal: AWS user or account to which you want to grant/deny access
    • Condition: Conditions when this policy will be in effect
  • Scenario 1: Grand Read-only permission to anonymous users
  • Lets use this bucket policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LTPublicRead",
            "Effect": "Allow",
            "Principal": "*",
            "Action": ["s3:GetObject"],
            "Resource": ["arn:aws:s3:::ltsamples3/authenticationandauthorization.mp4"]
        }
    ]
}
  • Scenario 2: Allow full permissions for one iam user (admin) and readonly access to other iam user (developer)
{
    "Version": "2012-10-17",
    "Id": "Policy1608868865480",
    "Statement": [
        {
            "Sid": "Stmt1608868785705",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::*:user/developer"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::ltsamples3/*"
        },
        {
            "Sid": "Stmt1608868861098",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::*:user/developer"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::ltsamples3/*"
        },
        {
            "Sid": "Stmt1608868785705",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::*:user/admin"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::ltsamples3/*"
        }
    ]
}

Access Control List Overview

  • S3 ACL enables us to to manage access to buckets and objects. Each bucket and object will have an ACL Attached as a subresource.
  • In this ACL which AWS accounts are granted access and type of access is mentioned Refer Here for more info

Cross-Orgin Resource Sharing

  • If you want to give access to the domain which are eligible to access s3 then we need to be enable CORS
  • Sample CORS
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "http://www.infosys.com"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST"
            
        ],
        "AllowedOrigins": [
            "http://www.dell.com"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": []
    }
]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Network Widget by Acurax Small Business Website Designers

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube