Controlling access to S3 buckets
Controlling access to S3 buckets through policies and IAM roles is crucial for maintaining the security and integrity of your objects and data stored in Amazon S3. By defining granular permissions and access controls, you can ensure that only authorized users or services have the necessary privileges to interact with your S3 resources. You can restrict permissions according to your requirements by precisely defining who can access your data, what actions they can take, and under what conditions. This fine-grained access control helps protect sensitive data, prevent unauthorized modifications, and mitigate the risk of accidental or malicious actions.
AWS Identity and Access Management (IAM) allows you to create an entity referred to as an IAM identity, which is granted specific actions on your AWS account. This entity can be a person or an application. You can create this identity as an IAM role, which is designed to be attached to any entity that needs it. Alternatively, you can create IAM users, which represent individual people and are usually used for granting long-term access to specific users. IAM users can be grouped into an IAM group, allowing permissions to be assigned at the group level and inherited by all member users. IAM policies are sets of permissions that can be attached to the IAM identity to grant specific access rights.
In this recipe, we will learn how to create a policy so that we can view all the buckets in the account, give read access to one specific bucket content, and then give write access to one of its folders.
Getting ready
For this recipe, you need to have an IAM user, role, or group to which you want to grant access. You also need to have an S3 bucket with a folder to grant access to.
To learn how to create IAM identities, go to https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html.
How to do it…
- Sign in to the AWS Management Console (https://console.aws.amazon.com/console/home?nc2=h_ct&src=header-signin) and navigate to the IAM console.
- Choose Policies from the navigation pane on the left and choose Create policy.
- Choose the JSON tab to provide the policy in JSON format and replace the existing JSON with this policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListBuckets", "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Sid": "AllowBucketListing", "Effect": "Allow", "Action": [ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource": [ "arn:aws:s3:::<bucket-name>" ] }, { "Sid": "AllowFolderAccess", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::<bucket-name>/<folder-name>/*" ] } ] } - Provide a policy name and, optionally, a description of the policy in the respective fields.
- Click on Create Policy.
Now, you can attach this policy to an IAM role, user, or group. However, exercise caution and ensure access is granted only as necessary; avoid providing admin access policies to regular users.
How it works…
An IAM policy comprises three key elements:
Effect: This specifies whether the policy allows or denies accessAction: This details the specific actions being allowed or deniedResource: This identifies the resources to which the actions apply
A single statement can apply multiple actions to multiple resources. In this recipe, we’ve defined three statements:
- The
AllowListBucketsstatement gives access to list all buckets in the AWS account - The
AllowBucketListingstatement gives access to list the content of a specific S3 bucket - The
AllowFolderAccessgives access to upload, download, and delete objects from a specific folder
There’s more…
If you want to make sure that no access is given to a specific bucket or object in your bucket, you can use a deny statement, as shown here:
{
"Sid":"DenyListBucketFolder",
"Action":[
"s3:*"
],
"Effect":"Deny",
"Resource":[
"arn:aws:s3:::<bucket-name>/<folder-name>/*"
} Instead of using an IAM policy to set up permissions to your bucket, you can use S3 bucket policies. These can be located in the Permission tab of the bucket. Bucket policies can be used when you’re trying to set up access at the bucket level, regardless of the IAM role or user.
See also
- AWS provides a set of policies that are managed and administered by AWS, all of which can be used for many common use cases. You can learn more about these policies at https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-iam-awsmanpol.html.
- To learn how to set up cross-account access to S3 buckets, go to https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html.
