AWS S3 Bucket Policy

• AWS S3 Bucket Policy is written in JSON Format Refer Here
• Example bucket policy

{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/Dave"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::awsexamplebucket1/*",
                "arn:aws:s3:::awsexamplebucket1"
            ]
        }
    ]
}

• Policy Language Elements
  • Resources: Buckets, objects, access points & jobs Refer Here
  • Action: For each Resource AWS s3 supports set of operations Refer Here
  • Effect: Allow or deny
  • Prinicipal: AWS user or account to which you want to grant/deny access
  • Condition: Conditions when this policy will be in effect
• Scenario 1: Grand Read-only permission to anonymous users
• Lets use this bucket policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "LTPublicRead",
            "Effect": "Allow",
            "Principal": "*",
            "Action": ["s3:GetObject"],
            "Resource": ["arn:aws:s3:::ltsamples3/authenticationandauthorization.mp4"]
        }
    ]
}

• Scenario 2: Allow full permissions for one iam user (admin) and readonly access to other iam user (developer)

{
    "Version": "2012-10-17",
    "Id": "Policy1608868865480",
    "Statement": [
        {
            "Sid": "Stmt1608868785705",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::*:user/developer"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::ltsamples3/*"
        },
        {
            "Sid": "Stmt1608868861098",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::*:user/developer"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::ltsamples3/*"
        },
        {
            "Sid": "Stmt1608868785705",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::*:user/admin"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::ltsamples3/*"
        }
    ]
}

• Refer Here for the s3 bucket samples

Access Control List Overview

• S3 ACL enables us to to manage access to buckets and objects. Each bucket and object will have an ACL Attached as a subresource.
• In this ACL which AWS accounts are granted access and type of access is mentioned Refer Here for more info

Cross-Orgin Resource Sharing

• If you want to give access to the domain which are eligible to access s3 then we need to be enable CORS
• Sample CORS

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "http://www.infosys.com"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST"
            
        ],
        "AllowedOrigins": [
            "http://www.dell.com"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": []
    }
]