In Amazon AWS S3, access type is private by default for buckets and objects resources which makes the access control much simple and secure as it allows only granular access to these resources for a role.
Only the resource owner of AWS account, can access the resource. The resource owner can optionally grant access permissions to others by writing an access policy.
Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies.
You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources.
Resource-based policies are access policies you attach to your resources (buckets and objects).
Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you can’t access that user’s objects unless the user explicitly grants you access.
For example, bucket policies and access control lists (ACLs) are resource-based policies.
Each bucket and object has an ACL associated with it. An ACL is a list of grants identifying grantee and permission granted. You use ACLs to grant basic read/write permissions to other AWS accounts. ACLs use an Amazon S3–specific XML schema.
The following is an example bucket ACL. The grant in the ACL shows a bucket owner as having full control permission.
For your bucket, you can add a bucket policy to grant other AWS accounts or IAM users permissions for the bucket and the objects in it. Any object permissions apply only to the objects that the bucket owner creates. Bucket policies supplement, and in many cases, replace ACL-based access policies.
The following is an example bucket policy. You express bucket policy (and user policy) using a JSON file.
The policy grants anonymous read permission on all objects in a bucket. The bucket policy has one statement, which allows the s3:GetObject action (read permission) on objects in a bucket.
Bucket policies are limited to 20 KB in size.
We can use IAM to manage access to your Amazon S3 resources.
You can create IAM users, groups, and roles in your account and attach access policies to them granting them access to AWS resources, including Amazon S3.
In its most basic sense, a policy contains the following elements:
- Resources – Buckets and objects are the Amazon S3 resources for which you can allow or deny permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the resource.
- Actions – For each resource, Amazon S3 supports a set of operations. You identify resource operations that you will allow (or deny) by using action keywords
For example, the s3:ListBucket permission allows the user permission to the Amazon S3 GET Bucket (List Objects)operation.
- Effect – What the effect will be when the user requests the specific action—this can be either allow or deny.
If you do not explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do in order to make sure that a user cannot access it, even if a different policy grants access.
- Principal – The account or user who is allowed access to the actions and resources in the statement. In a bucket policy, the principal is the user, account, service, or other entity who is the recipient of this permission.