AWS Classroomnotes 19/Jun/2022

S3 Bucket Policies

  • We need to know what are different resources, actions in s3 Refer Here
  • In AWS when we create any resource it will have unique Name called as ARN (Amazon Resource Name)
  • Refer Here for the Resource Types
    Preview
  • Using ARN
    Preview
  • Giving an Access is possible in S3 to specific accounts or anonymous user
    • specific accounts: principal => arn:{partition}::{account-id}:{iam-user}
    • Anonymous user: principal => *
  • Create a new bucket
    Preview
  • upload some objects
    Preview
  • By default access is denied
    Preview
  • Activity 1: Lets create an S3 bucket policy which will allow access to four.mp4 to anyone
{
    "Version": "2012-10-17",
    "Id": "Activity1",
    "Statement": [
        {
            "Sid": "Activity1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [                
                "arn:aws:s3:::policydemoqt/videos/four.mp4"
            ]
        }
    ]
}

Preview
Preview
* Now lets upload some images in the folder images
Preview
* Activity 2: Lets give access to anyone to all the images

{
    "Version": "2012-10-17",
    "Id": "Activity1",
    "Statement": [
        {
            "Sid": "Activity1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [                
                "arn:aws:s3:::policydemoqt/videos/four.mp4"
            ]
        },
        {
            "Sid": "Activity2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [                
                "arn:aws:s3:::policydemoqt/images/*"
            ]
        }
    ]
}
  • or the other version could be
{
    "Version": "2012-10-17",
    "Id": "Activity1",
    "Statement": [
        {
            "Sid": "Activity1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": [                
                "arn:aws:s3:::policydemoqt/videos/four.mp4",
                "arn:aws:s3:::policydemoqt/images/*"
            ]
        },

    ]
}
  • Activity 3:
    • Create an S3 bucket with acl’s disabled and create three folders music, images and videos
    • In each of these folders create two subfolder public and private
    • All the objects in public should be accessible by everyone
      Preview
    • Solution:
      json
      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "Statement1",
      "Principal": "*",
      "Effect": "Allow",
      "Action": "*",
      "Resource": [
      "arn:aws:s3:::playingwithpolicies/*/public/*"
      ]
      }
      ]
      }
  • Activity 4: Give Public access to all objects in a bucket if the ip address is 49.205.96.154
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": "arn:aws:s3:::playingwithpolicies/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "49.205.96.154/32"
                }
            }
        }
    ]
}
  • Activity 5: Give Public access to all objects for a range of ip addresses i.e. with any public ip starting from 49 49.x.x.x => 49.0.0.0/8
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": "arn:aws:s3:::playingwithpolicies/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "49.0.0.0/8"
                }
            }
        }
    ]
}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner