S3 Bucket Policies
- We need to know what are different resources, actions in s3 Refer Here
- In AWS when we create any resource it will have unique Name called as ARN (Amazon Resource Name)
- Refer Here for the Resource Types
- Using ARN
- Giving an Access is possible in S3 to specific accounts or anonymous user
- specific accounts: principal =>
arn:{partition}::{account-id}:{iam-user} - Anonymous user: principal =>
*
- specific accounts: principal =>
- Create a new bucket
- upload some objects
- By default access is denied
- Activity 1: Lets create an S3 bucket policy which will allow access to four.mp4 to anyone
{
"Version": "2012-10-17",
"Id": "Activity1",
"Statement": [
{
"Sid": "Activity1",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::policydemoqt/videos/four.mp4"
]
}
]
}
* Now lets upload some images in the folder images
* Activity 2: Lets give access to anyone to all the images
{
"Version": "2012-10-17",
"Id": "Activity1",
"Statement": [
{
"Sid": "Activity1",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::policydemoqt/videos/four.mp4"
]
},
{
"Sid": "Activity2",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::policydemoqt/images/*"
]
}
]
}
- or the other version could be
{
"Version": "2012-10-17",
"Id": "Activity1",
"Statement": [
{
"Sid": "Activity1",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": [
"arn:aws:s3:::policydemoqt/videos/four.mp4",
"arn:aws:s3:::policydemoqt/images/*"
]
},
]
}
- Activity 3:
- Create an S3 bucket with acl’s disabled and create three folders music, images and videos
- In each of these folders create two subfolder public and private
- All the objects in public should be accessible by everyone
- Solution:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Principal": "*",
"Effect": "Allow",
"Action": "*",
"Resource": [
"arn:aws:s3:::playingwithpolicies/*/public/*"
]
}
]
}
- Activity 4: Give Public access to all objects in a bucket if the ip address is
49.205.96.154
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::playingwithpolicies/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "49.205.96.154/32"
}
}
}
]
}
- Activity 5: Give Public access to all objects for a range of ip addresses i.e. with any public ip starting from 49
49.x.x.x=>49.0.0.0/8
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": "*",
"Action": "*",
"Resource": "arn:aws:s3:::playingwithpolicies/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "49.0.0.0/8"
}
}
}
]
}
