{"id":1671,"date":"2019-01-29T11:57:36","date_gmt":"2019-01-29T11:57:36","guid":{"rendered":"http:\/\/wiki.thomasandsofia.com\/?p=1671"},"modified":"2019-02-05T11:10:18","modified_gmt":"2019-02-05T11:10:18","slug":"s3-bucket-policies","status":"publish","type":"post","link":"https:\/\/wiki.thomasandsofia.com\/?p=1671","title":{"rendered":"S3 Bucket Policies"},"content":{"rendered":"<p><a href=\"http:\/\/wiki.thomasandsofia.com\/2018\/08\/20\/aws-certified-solutions-architect-professional-overview\/\">Main Menu<\/a><\/p>\n<h1>Menu<\/h1>\n<ul>\n<li>S3 Bucket Policies\n<ul>\n<li>Bucket Policy Document \u2013 Condition based on IP Address<\/li>\n<\/ul>\n<\/li>\n<li>Cross Account S3 Bucket Configuration\n<ul>\n<li>Document \u2013 Cross Account S3\u00a0 Bucket Policy<\/li>\n<\/ul>\n<\/li>\n<li>Canned ACL Bucket Policies<\/li>\n<\/ul>\n<h1>S3 Bucket Policies<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13308262?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13308262?start=0<\/a><\/p>\n<h2>Overview<\/h2>\n<ul>\n<li>One limitation of IAM is that it is generally restricted to the principles like the user\/group\/roles within an AWS account.<\/li>\n<li>S3 buckets are often used by external entities so we need more granular permissions.\n<ul>\n<li>This granularity cannot be achieved using IAM.<\/li>\n<\/ul>\n<\/li>\n<li>S3 Bucket policies are attached directly to the S3 buckets.<\/li>\n<\/ul>\n<h2>Examples<\/h2>\n<ul>\n<li>S3 is often used to host publicly accessible websites, documents, media files, etc.<\/li>\n<li>With standard controls, you can set a bucket as\n<ul>\n<li>private: not accessible by anyone<\/li>\n<li>public: accessible by everyone<\/li>\n<\/ul>\n<\/li>\n<li>With bucket policies, you can allow access from an IP or range of IPs, even though the overall policy is private.<\/li>\n<\/ul>\n<h1>Bucket Policy Document \u2013 Condition based on IP Address<\/h1>\n<ul>\n<li>Use the correct ARN<\/li>\n<li>Edit the CIDR notation as required.<\/li>\n<li>Bucket &gt; Permissions &gt; [ Bucket Policy ]<\/li>\n<\/ul>\n<pre>{\r\n  \"Version\": \"2012-10-17\",\r\n  \"Id\": \"S3PolicyId1\",\r\n  \"Statement\": [\r\n    {\r\n      \"Sid\": \"IPAllow\",\r\n      \"Effect\": \"Allow\",\r\n      \"Principal\": \"*\",\r\n      \"Action\": \"s3:*\",\r\n      \"Resource\": \"arn:aws:s3:::examplebucket\/*\",\r\n      \"Condition\": {\r\n         \"IpAddress\": {\"aws:SourceIp\": \"54.240.143.0\/24\"}\r\n      } \r\n    } \r\n  ]\r\n}\r\n<\/pre>\n<h1>Cross Account S3 Bucket Configuration<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13308266?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13308266?start=0<\/a><\/p>\n<h2>Overview<\/h2>\n<ul>\n<li>It is common to use S3 buckets that require access from different accounts.<\/li>\n<li>Example:\n<ul>\n<li>ORG has two AWS accounts.\n<ul>\n<li>Acct A has the S3 buckets<\/li>\n<li>Acct B has EC2 instances\n<ul>\n<li>These EC2 instances need to periodically backup all the data an S3 bucket in Acct A.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>How do you do this?<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h2>Demo<\/h2>\n<pre>  \"Version\": \"2012-10-17\",\r\n  \"Statement\": [\r\n    {\r\n      \"Sid\": \"111\",\r\n      \"Effect\": \"Allow\",\r\n      \"Principal\": {\r\n         \"AWS\": \"arn:aws:iam::AccountNumberOfAcctB:root\"\r\n      },      \r\n      \"Action\": [\r\n         \"s3:*\"\r\n      ],\r\n      \"Resource\": \"arn:aws:s3:::examplebucket\/*\",\r\n    } \r\n  ]\r\n}\r\n<\/pre>\n<h3>IMPORTANT!!<\/h3>\n<ul>\n<li>The above policy will only grant access to the contents of the bucket (files, folders, etc.) and not to the bucket itself because of the &#8216;\/*&#8217;.\n<ul>\n<li>&#8220;Resource&#8221;: &#8220;arn:aws:s3:::examplebucket<strong>\/*<\/strong>&#8220;<\/li>\n<\/ul>\n<\/li>\n<li>To be able to list the contents of the bucket, you need to add just the bucket as a resource:\n<ul>\n<li>&#8220;Resource&#8221;: [\n<ul>\n<li>&#8220;arn:aws:s3:::examplebucket&#8221;,<\/li>\n<li>&#8220;arn:aws:s3:::examplebucket\/*&#8221;,<\/li>\n<\/ul>\n<\/li>\n<li>]<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1>Document \u2013 Cross Account S3\u00a0 Bucket Policy<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13439776?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13439776?start=0<\/a><\/p>\n<pre>{\r\n    \"Version\": \"2012-10-17\",\r\n    \"Statement\": [\r\n        {\r\n            \"Sid\": \"111\",\r\n            \"Effect\": \"Allow\",\r\n            \"Principal\": {\r\n                \"AWS\": \"arn:aws:iam::453314488441:root\"\r\n            },\r\n            \"Action\": \"s3:*\",\r\n            \"Resource\": [\r\n                \"arn:aws:s3:::kplabs-demo-crossover\",\r\n                \"arn:aws:s3:::kplabs-demo-crossover\/*\"\r\n            ]\r\n        }\r\n    ]\r\n}\r\n<\/pre>\n<h1>Canned ACL (Access Control List)<\/h1>\n<p><a href=\"https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13439776?start=0\" target=\"_blank\" rel=\"noopener\">https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13439776?start=0<\/a><\/p>\n<h2>Understanding S3 Access Routes<\/h2>\n<ul>\n<li>Every bucket and its objects have an ACL associated with them.<\/li>\n<li>When a request is received, AWS S3 will check against the attached ACL to either allow or block access to that specific object.<\/li>\n<li>When we create a bucket or an object, AWS S3, by default, will grant the <strong>resource owner<\/strong> full control over the resource.\n<ul>\n<li>Resource Owner = User that uploaded the file.<\/li>\n<li>This is NOT necessarily the bucket owner<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<pre>aws s3api get-object-acl --bucket bucket-name --key fileName.txt --profile accountA<\/pre>\n<pre>...\r\n   \"Permission\": \"FULL_CONTROL\"\r\n...<\/pre>\n<ul>\n<li>Because of the object&#8217;s ACL, the above command must be ran as the source owner of the file (person that uploaded the file)<\/li>\n<\/ul>\n<h2>Canned ACL<\/h2>\n<ul>\n<li>AWS supports sets of pre-defined grants known as Canned ACLs<\/li>\n<li>Each canned ACL has a set of predefined permissions associated with them<\/li>\n<li>These canned ACL can be specified in the request using x-amz-acl header.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<table>\n<tbody>\n<tr>\n<th>ACL Name<\/th>\n<th>Description<\/th>\n<\/tr>\n<tr>\n<td>Private<\/td>\n<td>Owner gets FULL_CONTROL. No one else will have access rights (Default)<\/td>\n<\/tr>\n<tr>\n<td>Public-read<\/td>\n<td>Owner has FULL_CONTROL. All others get Public read permissions.<\/td>\n<\/tr>\n<tr>\n<td>Bucket-owener-read<\/td>\n<td>Owner of the object has FULL_CONTROL. Bucket owner will get read permissions.<\/td>\n<\/tr>\n<tr>\n<td>Bucket-ownder-full-control<\/td>\n<td>Both the bucket owner and object owner get FULL_CONTROL over the object.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<pre>aws s3 cp test.doc s3:\/\/bucket-name\/ --acl bucket-owner-full-control --profile crossAccountUser<\/pre>\n<p><strong><span style=\"color: #ff0000;\">* This must be applied by the file uploader!!<\/span><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Main Menu Menu S3 Bucket Policies Bucket Policy Document \u2013 Condition based on IP Address Cross Account S3 Bucket Configuration Document \u2013 Cross Account S3\u00a0 Bucket Policy Canned ACL Bucket Policies S3 Bucket Policies https:\/\/www.udemy.com\/aws-certified-solutions-architect-professional\/learn\/v4\/t\/lecture\/13308262?start=0 Overview One limitation of IAM is that it is generally restricted to the principles like the user\/group\/roles within an AWS ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.thomasandsofia.com\/?p=1671\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,38],"tags":[],"class_list":["post-1671","post","type-post","status-publish","format-standard","hentry","category-amazon-web-services-aws","category-certified-solutions-architect-professional"],"_links":{"self":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1671","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1671"}],"version-history":[{"count":13,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1671\/revisions"}],"predecessor-version":[{"id":1687,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=\/wp\/v2\/posts\/1671\/revisions\/1687"}],"wp:attachment":[{"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.thomasandsofia.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}