DEVELOPER BLOG

HOME > DEVELOPER BLOG > 【Introduction to AWS】Access Control by S3 Bucket Policy - PrismScaler

【Introduction to AWS】Access Control by S3 Bucket Policy - PrismScaler

1. Introduction

Hello! We are a writer team from Definer Inc. In the context of AWS S3 (Simple Storage Service), a bucket policy is a JSON-based access control policy that defines permissions for an S3 bucket. It allows you to manage access to your S3 buckets at a more granular level, specifying who can perform actions on the bucket and the objects within it. In this issue, you are wondering about the use of access control using S3 bucket policy. Let's take a look at the actual screens and resources to explain in detail.

2. Purpose/Use Cases

The purpose of a bucket policy is to control access to your S3 bucket and its contents. It provides a fine-grained access control mechanism that goes beyond the basic access permissions granted by AWS Identity and Access Management (IAM) policies. Here are some key purposes of using bucket policies: (1) Granting Cross-Account Access (2) Restricting Access by IP Address (3) Configuring Permissions for Specific Actions (4) Enforcing Encryption and Secure Transfer (5) Supporting Website Hosting (6) Complementing IAM Policies By utilizing bucket policies, you can implement secure and controlled access to your S3 buckets, ensuring that only authorized entities have the necessary permissions to interact with the bucket and its objects. It enables you to tailor access control to meet specific requirements and helps maintain data privacy, integrity, and compliance.

3. S3 access control options

First, we will review S3 bucket access control. There are roughly four types of S3 access control methods   1. IAM Policy IAM (Identity and Access Management) policies are widely used for access control in AWS and can be attached to various AWS resources, including S3. IAM policies define permissions in a JSON format policy document. You can configure individual resources and actions to allow or deny access. In the case of S3, IAM policies can be attached to IAM roles used by EC2 instances, Lambda functions, or other AWS services. These policies define the level of access and permissions that the associated AWS resource has for interacting with S3. IAM policies allow for fine-grained control over access at the user, group, or resource level. For S3, IAM policies can be used to restrict access per folder or file within a bucket, enabling you to define specific permissions for different parts of your S3 bucket structure.   2. Bucket Policy Bucket policies are used to control access for an entire S3 bucket. Access permissions are defined in a JSON format policy document, allowing for highly customizable access management. Bucket policies enable you to grant access to other AWS accounts, allowing cross-account access. They are the primary method for managing access to S3 buckets and provide a wide range of configuration options. With bucket policies, you can define access controls at a bucket level, including permissions for actions like GetObject, PutObject, DeleteObject, or ListBucket. This allows you to grant or restrict access to specific actions for different AWS identities (users, groups, or roles) within your account or other AWS accounts. Bucket policies are commonly used for scenarios where you need granular control over access to an entire bucket or when you want to allow cross-account access to your S3 resources.   3. Access Control List (ACL) ACLs provide access control on a bucket or object basis in S3. They allow you to define access permissions for individual AWS identities (users, groups, or roles) or predefined canned ACLs (e.g., private, public-read, public-read-write) directly on the bucket or object. ACLs are easier to set up than IAM policies or bucket policies but are less flexible for fine-grained access control. However, it's important to note that if a Deny statement is specified in an IAM policy or bucket policy, it takes precedence over the permissions defined in ACLs. Due to the limitations and complexities associated with managing ACLs, they are not commonly used for access control in S3 and are typically used in combination with IAM policies or bucket policies.   4. Public Access Block The Public Access Block feature helps prevent accidental public access to S3 buckets. It is enabled by default and provides an additional layer of security by blocking public access to the bucket and its contents. Public access includes access from anonymous users and authenticated users who do not have explicit permissions to access the bucket. If you want to make an S3 bucket public, you would need to disable the Public Access Block feature explicitly. This feature helps mitigate the risk of unintentional exposure of sensitive data. It's important to choose the appropriate access control method based on your requirements and security considerations. IAM policies and bucket policies are typically recommended for fine-grained access control and managing access to S3 resources in a more flexible and scalable manner.

4. S3 bucket policy implementation

We will immediately try to implement access control using Bucket Policy.   (1) Creating S3 for testing To create an S3 bucket, you can use the AWS Command Line Interface (CLI) or the AWS Management Console. The specific command may vary depending on the CLI version you are using, but the basic syntax is as follows:   (2) Confirmation of upload Once the S3 bucket is created, you can confirm that you can upload files to it. There are multiple ways to upload files to an S3 bucket, such as using the AWS Management Console, AWS CLI, or AWS SDKs.   (3) S3 Bucket Policy setting To configure the S3 bucket policy and restrict uploading to the target S3 bucket, follow these steps:  - Access the AWS S3 Management Console.  - Locate the S3 bucket for which you want to set the policy and click on its name to access the bucket details screen.  - Click on the "Permissions" tab and then click on "Bucket Policy".  - Click on the "Edit" button to modify the bucket policy.  - Copy and paste the provided JSON policy into the editor. This policy should be designed to prohibit uploading to the target S3 bucket. Ensure that the policy is correctly formatted and reflects your desired access restrictions.  - Finally, click on "Save" to save the bucket policy.   (4) Confirmation that the upload will fail After setting the bucket policy to prohibit uploading, any attempt to upload a new file to the S3 bucket will result in an access denied error message. The specific error message will indicate that you do not have the necessary permissions to upload files and folders to the S3 bucket. This is the expected behavior when the bucket policy restricts uploading. It confirms that the policy is successfully enforced, and only users or applications with the appropriate permissions will be able to upload files to the bucket.   I can confirm that the S3 Bucket Policy is being applied correctly!
## Command to create S3
aws s3api create-bucket  \
--bucket test-bucketpolicy-xxxxxxx  \
--create-bucket-configuration LocationConstraint=ap-northeast-1                
 

Json policy document to be applied to Bucket Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicRead",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::test-bucketpolicy-xxxxxxx/*"
        }
    ]
},
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": ["test-user-arn-1", "test-user-arn-2"]
            },
            "Action": ["s3:GetObject", "s3:PutObject"],
            "Resource": "arn:aws:s3:::test-bucketpolicy-xxxxxxx/*"
        }
    ]
},
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::test-bucketpolicy-xxxxxxx/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        }
    ]
},
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::test-bucketpolicy-xxxxxxx/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "192.168.0.0/24"
                }
            }
        }
    ]
},
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::test-bucketpolicy-xxxxxxx/private/*"
        }
    ]
}                  

5. Cited/Referenced Articles

6. About the proprietary solution "PrismScaler"

・PrismScaler is a web service that enables the construction of multi-cloud infrastructures such as AWS, Azure, and GCP in just three steps, without requiring development and operation. ・PrismScaler is a web service that enables multi-cloud infrastructure construction such as AWS, Azure, GCP, etc. in just 3 steps without development and operation. ・The solution is designed for a wide range of usage scenarios such as cloud infrastructure construction/cloud migration, cloud maintenance and operation, and cost optimization, and can easily realize more than several hundred high-quality general-purpose cloud infrastructures by appropriately combining IaaS and PaaS.  

7. Contact us

This article provides useful introductory information free of charge. For consultation and inquiries, please contact "Definer Inc".

8. Regarding Definer

・Definer Inc. provides one-stop solutions from upstream to downstream of IT. ・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition/design development/implementation, and maintenance and operation. ・We are committed to providing integrated support for advanced IT technologies such as AI and cloud IT infrastructure, from consulting to requirement definition, design development, implementation, maintenance, and operation. ・PrismScaler is a high-quality, rapid, "auto-configuration," "auto-monitoring," "problem detection," and "configuration visualization" for multi-cloud/IT infrastructure such as AWS, Azure, and GCP.