AWS Classroom Series – 04/Dec/2021

AWS S3 Bucket Policy

  • Refer Here for understanding the bucket policy
  • AWS S3 Bucket policy syntax
{
    "Version": "2012-10-17",
    "Id": "ExamplePolicy01",
    "Statement": [
        {
            "Sid": "ExampleStatement01",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/Dave"
            },
            "Action": [
                "s3:GetObject",
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::awsexamplebucket1/*",
                "arn:aws:s3:::awsexamplebucket1"
            ]
        }
    ]
}
  • Version: This represents the version of the bucket policy with the value 2012-10-17
  • Id: This is identifier of your policy i.e. unique identifier or name given by you
  • Statement: This is array of statements. Each statement represents the allow or deny permission
    • Resources: Buckets, object, access points etc where you use ARN for any AWS S3 resources
    • Actions: The actions that can be performed on the Resource
    • Effect: Allow or Deny
    • Principal: The account or user to whom you want to allow or deny the permission
    • Condition: Condition for when the policy will be in effect
  • Refer Here to view the list of actions, resources and conditional keys for S3
  • Scenario:
    • Grant permissions to multiple AWS accounts the permission to upload objects
    {
  "Version": "2012-10-17",
  "Id": "Example1",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": ["s3:PutObject"],
          "Resource": "arn:aws:s3:::qts3activity1/3content/*",
          "Principal": {
              "AWS": ["arn:aws:iam::912868338977:root", "arn:aws:iam::323168868272:root"]
          }
          
      }
  ]
}

    {
  "Version": "2012-10-17",
  "Id": "Example2",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": ["s3:GetObject"],
          "Resource": "arn:aws:s3:::qts3activity1/2content/*",
          "Principal": "*",
          "Condition": {
              "IpAddress": {
                  "aws:SourceIp": [
                      "183.82.157.106/32",
                      "49.37.153.132/32",
                      "69.138.173.102/32",
                      "49.37.159.83/32",
                      "24.24.185.155/32"
                  ]
              }
          }
      }
  ]
}
    • Black list certain ip address for accessing the objects
    {
  "Version": "2012-10-17",
  "Id": "Example2",
  "Statement": [
      {
          "Effect": "Deny",
          "Action": ["s3:GetObject"],
          "Resource": "arn:aws:s3:::qts3activity1/2content/*",
          "Principal": "*",
          "Condition": {
              "IpAddress": {
                  "aws:SourceIp": [
                      "183.82.157.106/32",
                      "49.37.153.132/32",
                      "69.138.173.102/32",
                      "49.37.159.83/32",
                      "24.24.185.155/32"
                  ]
              }
          }
      },
      {
          "Effect": "Allow",
          "Action": ["s3:GetObject"],
          "Resource": "arn:aws:s3:::qts3activity1/2content/*",
          "Principal": "*"
      }
  ]
}
  • To give access to the internet/a particular aws vpc (virtual network) for s3 bucket items in the case of non-acls create an access point
  • AWS S3 access points are designed to use with authorizations using Authenticate the requests using s3 API Reference
  • Refer Here for the limitations.

Leave a ReplyCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Exit mobile version
%%footer%%