Amazon S3 access control and permissions

There are three ways to control access to s3 bucket and its objects

  1. Using bucket policies.
  2. Using bucket Access Control Lists (ACL)
  3. Using User policies

ACL is used only in cases where Objects are not owned by the bucket owner. I.e. objects are uploaded by another account and the bucket owner does not own these objects. The Object owner (the other account that uploaded them) can write Object ACL to manage them. Bucket ACL is only used to grant permission to Amazon S3 Log Delivery group to write access log to your bucket.

You can put users in a group and then write group based policy as well.

Bucket policies have a limit of 20KB.

User Policy to allow S3 bucket listing, get and put objects

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListingAllBuckets",
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListAllMyBuckets"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowListingObjectsInABucket",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::studytrails-s3-course"
        },
        {
            "Sid": "AllowDownloadUploadDelete",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::studytrails-s3-course/*"
        }
    ]
}

The user policy above is split into three parts. The first part allows a user to list all buckets, the second part allows the user to list all objects in a bucket and the third part allows the user to put, get and delete objects

Bucket policy to deny access to a bucket except to specific users

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "S3:*",
            "Resource": [
                "arn:aws:s3:::studytrails-s3-course",
                "arn:aws:s3:::studytrails-s3-course/*"
            ],
            "Condition": {
                "StringNotLike": {
                    "aws:userId": [
                        "3812xxx91xxx",
                        "AIDAVxxxxxxxD3BS47ZLR"
                    ]
                }
            }
        }
    ]
}

This policy denies access to all users except for the root account (identified by the account number) and another user identified by the user id. To obtain the user id use this command

aws iam get-user --user-name studytrails

Bucket policy to allow cross account access

{
    "Version": "2012-10-17",
    "Statement": [
        
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::43157xxxxxxx:root"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::studytrails-s3-course"
        }
    ]
}

The policy above allows the administrator in another account (43157xxxxxxx) access to the bucket in account (3812xxx91xxx). The administrator can then delegate this access to any user in that account using policies specified in the first section in this blog.

Leave a Comment