AWS S3 Access Management

In Amazon AWS S3, access type is private by default for buckets and objects resources which makes the access control much simple and secure as it allows only granular access to these resources for a role.

Only the resource owner of AWS account, can access the resource. The resource owner can optionally grant access permissions to others by writing an access policy. 

Amazon S3 offers access policy options broadly categorized as resource-based policies and user policies. 

You may choose to use resource-based policies, user policies, or some combination of these to manage permissions to your Amazon S3 resources. 

Access Policies 
Resource Based 
User Policies

Resource-based policies: 

Resource-based policies are access policies you attach to your resources (buckets and objects). 

Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you can’t access that user’s objects unless the user explicitly grants you access.

For example, bucket policies and access control lists (ACLs) are resource-based policies. 

AWS Account 
S3 Objects 
53 Bucket 
Object AC:LS 
BL_Kket ACL 

Object ACL:

Each bucket and object has an ACL associated with it. An ACL is a list of grants identifying grantee and permission granted. You use ACLs to grant basic read/write permissions to other AWS accounts. ACLs use an Amazon S3–specific XML schema. 

The following is an example bucket ACL. The grant in the ACL shows a bucket owner as having full control permission. 

<img src="; alt="version-"1.0" <AccessContr01P01icy xm1ns="øø6-e3-e1/"&gt; Owner-canonical -User-ID name</Di splayname> <Accesscontr01List> <Grantee xmlns :xsi-"http://va•øe1/xmLSchema-instance&quot; xsi:type-"canonical User") owner-canonical -user-ID </Grantee> cpermission>FULL </Grant>

Bucket ACL:

For your bucket, you can add a bucket policy to grant other AWS accounts or IAM users permissions for the bucket and the objects in it. Any object permissions apply only to the objects that the bucket owner creates. Bucket policies supplement, and in many cases, replace ACL-based access policies. 

The following is an example bucket policy. You express bucket policy (and user policy) using a JSON file.  

The policy grants anonymous read permission on all objects in a bucket. The bucket policy has one statement, which allows the s3:GetObject action (read permission) on objects in a bucket.   

Public access settings 
Access Control List 
Bucket Policy 
CORS configuration 
Bucket policy editor ARN: arn:aws:s3:::myfirstbucket-ns 
Type to add a new policy or edit an existing policy in the text area below 
"Version . 
"Statement" : 
"Effect": "Allow", 
"Principal" • " 
"Action": " 
s3: GetObject" , 

Bucket policies are limited to 20 KB in size.

User policies 

We can use IAM to manage access to your Amazon S3 resources.  

You can create IAM users, groups, and roles in your account and attach access policies to them granting them access to AWS resources, including Amazon S3. 

AWS Account 
(J*r PO icy 
user Policies
"2012-1ø-17" , 
"Id • "Examplepolicyøl" , 
"Statement " : 
"Sid" • Examplestatementøl" , 
"Effect": "Allow", 
. "arn:aws :iam: :Account- ID: user/Dave" 
" s3 : Getobject" , 
" s3 : GetBucketLocation" , 
"s3: ListBucket" 
"Resource": [ 
"arn : aws :s3: : examplebucket/*" 
"arn: aws :s3: :examplebucket"

In its most basic sense, a policy contains the following elements: 

  • Resources – Buckets and objects are the Amazon S3 resources for which you can allow or deny permissions. In a policy, you use the Amazon Resource Name (ARN) to identify the resource. 
  • Actions – For each resource, Amazon S3 supports a set of operations. You identify resource operations that you will allow (or deny) by using action keywords  
    For example, the s3:ListBucket permission allows the user permission to the Amazon S3 GET Bucket (List Objects)operation. 
  • Effect – What the effect will be when the user requests the specific action—this can be either allow or deny. 
    If you do not explicitly grant access to (allow) a resource, access is implicitly denied. You can also explicitly deny access to a resource, which you might do in order to make sure that a user cannot access it, even if a different policy grants access. 
  • Principal – The account or user who is allowed access to the actions and resources in the statement. In a bucket policy, the principal is the user, account, service, or other entity who is the recipient of this permission. 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s