S3 Bucket Permission

24 / Feb / 2014 by abhishek.tomar 0 comments

Amazon’s Simple Storage Service (S3) allows its customer to maintain full control over who has access to their data with the help of its Identity Access Management (IAM) service and S3 bucket policies. For example, using Bucket Permission, one can give only reading access to one user, whereas using same permission/policy options, he can allow another user to read and write both.

We faced a similar requirement on a project a few days back, where a particular user required permission to upload files and make them publicly readable. To meet those requirements, I followed below mentioned steps, which are:

Create an IAM user and give read only access to use S3 resources.

Your user permission should be like:

{
"Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

Now create a bucket and add the following policy to S3 bucket.

{
   "Version":"2008-10-17",
   "Id":"Policy1391686183873",
   "Statement":[
       {
           "Sid":"Stmt1391686181884",
           "Effect":"Allow",
           "Principal":{
              "AWS":"*"

           },
           "Action":"s3:GetObject",     // actions allowed, only allowed to fetch object.
           "Resource":"arn:aws:s3:::<BucketName>/*"         //Change bucket name with your bucket
    },
      {
         "Sid":"Stmt1391686181885",
         "Effect":"Allow",
         "Principal":{
              "AWS":"arn:aws:iam::221312312:user/<UserName>"   //arn:aws:iam::accountnumber:role/rolename
         },

         "Action":"s3:PutObject",   // actions allowed, only allowed to create object.
         "Resource":"arn:aws:s3:::<BucketName>/*"   //Change bucket name with your bucket
      }
   ]
}

Note: Before using the policy remove the comments.

Now if you upload any file, it will be publicly readable.

Many a times customers are required to render public access of buckets in Amazon S3. Moreover, I would not recommend to go for it unless it becomes a requisite. Its better to go for safer and secure alternatives. Despite having flexibility and an architecture to support it, its encouraged to go for better security designs and go for full security review than direct bucket permissions.
FOUND THIS USEFUL? SHARE IT

Leave a comment -