AWS Classroom Series – 03/Dec/2021

AWS S3 ACL’s contd

  • When we create the s3 buckets with ACL’s enabled, we can make objects public Preview

Access policies

  • By creating Identity and Access Management policy, you can provide fine grained control over objects in S3 because, IAM policy helps you control who can access the data store in s3. This policy is applied to AWS Users
  • IAM policies are generally created for your project/organization users and then we give them specific permissions
    • bucket
    • object
    • Actions: GEt, upload, delete etc..
  • To work with policies we need to understand ARN (Amazon Resource Name). AWS gives an unique ARN for any resource created by the user.Refer Here for the official docs. The ARN looks as shown below
arn:partition:service:region:account-id:resource-id
arn:partition:service:region:account-id:resourcetype/resource
  • partition: This is partition for resource, for all the AWS standard regions the value is aws and if you create resources in china aws-cn and aws-us-gov for us-gov aws cloud
  • service: This is service namespace egs(s3,rds,ec2 etc)
  • region: The region code
  • account-id: ID of the AWS account that owns this resource
  • resource, resourcetype:resource, resourcetype/resource: this is content
  • Refer Here for s3 arns
  • Bucket Policy:
    • You can also create policies at the bucket level which is called as bucket-policy
    • Using bucket policy you can incorpate user restrictions without using IAM, you can grant other AWS accounts or IAM user permissions for buckets or any folders or objects inside.
    • A common use case of a bucket policy is to grant read-only permission to an anonymous user to access any object from a particular bucket
    • To create a bucket policy we use json
      • Select the Bucket in the S3
      • Choose Permissions
      • Under Bucket Policy, Choose Edit Preview
      • From policy generator, we have created a policy for s3 bucket
      {
"Id": "Policy1638505163278",
"Version": "2012-10-17",
"Statement": [
    {
    "Sid": "Stmt1638505157560",
    "Action": [
        "s3:GetObject"
    ],
    "Effect": "Allow",
    "Resource": "arn:aws:s3:::qts3activity2/*",
    "Principal": "*"
    }
]
}
    • Exercise: Lets give permissions from bucket policy only to access the contents of 2content/ objects Preview
      • Now lets create a bucket policy which reflects that
      {
"Version": "2012-10-17",
"Id": "Policy1638505826036",
"Statement": [
    {
        "Sid": "Stmt1638505823931",
        "Effect": "Allow",
        "Principal": "*",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::qts3activity1/2content/*"
    }
    ]
}

Note:

  • Ensure you go through the JSON and YAML tutorial Refer Here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Social Network Widget by Acurax Small Business Website Designers

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube