AWS S3 Bucket Policy
- AWS S3 Bucket Policy is written in JSON Format Refer Here
- Example bucket policy
{
"Version": "2012-10-17",
"Id": "ExamplePolicy01",
"Statement": [
{
"Sid": "ExampleStatement01",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/Dave"
},
"Action": [
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1/*",
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
- Policy Language Elements
- Resources: Buckets, objects, access points & jobs Refer Here
- Action: For each Resource AWS s3 supports set of operations Refer Here
- Effect: Allow or deny
- Prinicipal: AWS user or account to which you want to grant/deny access
- Condition: Conditions when this policy will be in effect
- Scenario 1: Grand Read-only permission to anonymous users
- Lets use this bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LTPublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": ["arn:aws:s3:::ltsamples3/authenticationandauthorization.mp4"]
}
]
}
- Scenario 2: Allow full permissions for one iam user (admin) and readonly access to other iam user (developer)
{
"Version": "2012-10-17",
"Id": "Policy1608868865480",
"Statement": [
{
"Sid": "Stmt1608868785705",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::*:user/developer"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::ltsamples3/*"
},
{
"Sid": "Stmt1608868861098",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::*:user/developer"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::ltsamples3/*"
},
{
"Sid": "Stmt1608868785705",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::*:user/admin"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::ltsamples3/*"
}
]
}
Access Control List Overview
- S3 ACL enables us to to manage access to buckets and objects. Each bucket and object will have an ACL Attached as a subresource.
- In this ACL which AWS accounts are granted access and type of access is mentioned Refer Here for more info
Cross-Orgin Resource Sharing
- If you want to give access to the domain which are eligible to access s3 then we need to be enable CORS
- Sample CORS
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"PUT",
"POST",
"DELETE"
],
"AllowedOrigins": [
"http://www.infosys.com"
],
"ExposeHeaders": []
},
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"PUT",
"POST"
],
"AllowedOrigins": [
"http://www.dell.com"
],
"ExposeHeaders": []
},
{
"AllowedHeaders": [],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}
]