Bucket Policy in S3
Hello Everyone
Welcome to CloudAffaire and this is Debjeet
In the last blog post, we have discussed CloudWatch Metrics for S3.
https://cloudaffaire.com/s3-cloudwatch-metrics/
AWS S3 provides two types of access control resource-based and user based. In case of resource-based access control, you define the access on S3 resources like bucket and objects. You can implement resource-based access control using the Bucket Policy or ACL. In today’s blog, we are going to discuss Bucket Policy.
Bucket Policy in S3:
Using bucket policy you can grant or deny other AWS accounts or IAM user’s permissions for the bucket and the objects in it. Bucket policies supplement, and in many cases, replace ACL based access policies. Bucket policy is written in JSON and is limited to 20 KB in size. Each bucket policy consists of multiple elements that control different aspects of the bucket policy.
Bucket Policy Elements:
Bucket Policy consists of multiple elements that control different aspects of the policy. Below is an example of bucket policy with several elements like Version, Id, Statement, Sid, Effect, Principle etc. Below is an example bucket policy
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
{ "Version": "2012-10-17", "Id": "cddserr3d9-4562-2dfe-45gf-34fdg54554ee", "Statement": [ { "Sid": "ExampleStatement01", "Effect": "Allow", "Principal": {"AWS": "arn:aws:iam::Account-ID:user/Debjeet"}, "Action": ["s3:GetObject", "s3:GetBucketLocation", "s3:ListBucket"], "Resource": ["arn:aws:s3:::examplebucket/*", "arn:aws:s3:::cloudaffaire_bucket"], "Condition" : {"IpAddress" : {"aws:SourceIp": "192.168.143.0/24"}, "NotIpAddress" : { "aws:SourceIp": "192.168.143.188/32"}} } ] } |
Version:
The Version policy element is used within a policy and defines the version of the policy language. There are two version available 2012-10-17 (This is the current version of the policy language) and 2008-10-17 (Previous generation). Version element is not mandatory but if you don’t mention version in your policy the old language version which is default will be used and new features like policy variables cannot be used in your policy.
Id:
The Id element specifies an optional identifier for the policy which is used by some services like AWS SQS, AWS SNS. The Id element is not mandatory and if defined should have value in GUID to maintain uniqueness.
Statement:
The Statement element is the main element for a policy and comprises of multiple elements with their sub-blocks. The statement is a mandatory element for your policy.
Sid:
The Sid or statement-ID is an optional identifier that you provide for the policy statement. You can assign a Sid value to each statement in a statement array. In services that let you specify an ID element, such as SQS and SNS, the Sid value is just a sub-ID of the policy document’s ID. In IAM, the Sid value must be unique within a JSON policy.
Effect:
The Effect is a mandatory element and specifies whether the statement results in an allow or an explicit deny. Valid values for Effect are Allow and Deny.
Principle:
The account or user who is allowed access to the actions and resources in the statement. In a bucket policy, the principal is the user, account, service, or other entity who is the recipient of this permission.
Action:
The Action element describes the specific action or actions that will be allowed or denied. Statements must include either an Action or NotAction element.
Resource:
Buckets and objects are the Amazon S3 resources for which you can allow or deny permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the resource.
Condition:
The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. The Condition element is optional. In the Condition element, you build expressions in which you use condition operators (equal, less than, etc.) to match the condition in the policy against values in the request.
We will cover policy elements in details in IAM blog series.
Next, we are going to create a bucket policy to deny an IAM user access to the bucket.
Prerequisite for this demo:
An S3 bucket.
An IAM user with administrative access.
We already created an IAM user named awss3user for this demo with administrative access policy. And if we login to AWS console using this IAM user, we can view objects inside our bucket.
Next, we are going to deny access to this IAM user in our bucket.
Step 1: Login to AWS console using bucket owner credential (In this case root user) and click ‘S3’ located under Storage.
Step 2: Click on the bucket.
Step 3: Click on ‘Bucket Policy’ located under ‘Permissions’.
Step 4: Define a bucket policy and click ‘Save’.
Note: Since our IAM user was part of AWS administrator group, it had unrestricted access to almost all AWS resources including the bucket. Here we have explicitly denied the access to the IAM user for this bucket.
Policy:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
{ "Id": "DDeny-Bucket-Access-To-awss3user", "Version": "2012-10-17", "Statement": [ { "Sid": "deny-access", "Action": "*", "Effect": "Deny", "Resource": [ "arn:aws:s3:::cloudaffaire-demo-bucket/*", "arn:aws:s3:::cloudaffaire-demo-bucket" ], "Principal": { "AWS": "arn:aws:iam:: } } ] } |
Now if we refresh the S3 console window for IAM user, we will get access denied error
For more details on bucket policy, please follow AWS S3 and IAM documentation
https://docs.aws.amazon.com/s3/index.html?id=docs_gateway#lang/en_us
https://docs.aws.amazon.com/iam/index.html#lang/en_us
To stop acquiring any cost, delete the buckets once the demo is completed.
Hope you have enjoyed this article, in the next blog post, we are going to discuss ACL or Access Control List in S3.