S3 Bucket Policies: Utility and Practical Examples
Introduction
In the previous article of this series, we discussed versioning in S3 buckets, why enabling it is a good practice, and how it impacts an S3 bucket once suspended. In this article, we’ll talk about S3 bucket policies: what they are, what they are for, and how they can be used in practice.
What are S3 Bucket Policies?
S3 Bucket policies allow us to control access to our buckets, as well as predefine certain rules related to them, such as who can read or create objects stored in the bucket. If we need all objects in our bucket to be encrypted, we can achieve this through S3 bucket policies. Below are some more specific aspects related to S3 bucket policies:
- A JSON document that grants access to certain users for objects in a bucket or for certain actions on the bucket itself.
- The
Principalfield is required in an S3 bucket policy. - By default, when an S3 Bucket is created, it does not contain any policies.
S3 Bucket Policy Example
{
"Sid": "PublicRead",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::compacompila-website/*",
"Principal": "*"
}To understand this policy, let’s analyze each of its fields:
Sid
This is an optional field, primarily used as an indicator to give anyone viewing the policy an idea of its objective. In this case, it’s PublicRead, which gives us an idea of the policy’s purpose.
Effect
This is an optional field. If not present, its value defaults to Allow; its other possible value is Deny. This field determines whether the action defined in the next property will be permitted or not.
Action
This defines the action to be allowed or denied. For example, in this case, the action is s3:GetObject, and since the previous field’s value is Allow, this policy allows the action of getting an S3 object.
Resource
This defines the resource on which the action is allowed or denied. We already know that this policy allows obtaining S3 objects. However, it’s essential to specify which S3 bucket this is allowed for, and that’s what’s defined in this field. Therefore, it expresses the ARN (Amazon Resource Name) of the bucket in question.
Principal
This refers to the IAM entity that will be able to perform the action on the S3 bucket defined in the Resource field. For instance, in this case, the value is *, meaning any entity can read the objects in this S3 bucket.
Summary
Therefore, we can conclude that this policy allows any entity to read the objects from the S3 bucket named compacompila-website.
Examples of S3 Bucket Policies
Allow a CloudFront Distribution to Read Objects from an S3 Bucket
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::compacompila-website/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::039612854661:distribution/E265T4FYP4BBY0"
}
}
}This policy allows the CloudFront distribution (the Principal field) with the ARN arn:aws:cloudfront::039612854661:distribution/E265T4FYP4BBY0 (the Condition field) to read all objects (the Action field) from the S3 bucket named compacompila-website (the Resource field).
Allow a CloudFront Distribution to Read Specific Objects from an S3 Bucket
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::compacompila-website/images/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::039612854661:distribution/E265T4FYP4BBY0"
}
}
}This policy has one key difference from the previous one: it doesn’t allow reading all objects in the bucket, but specifically allows reading objects located within the images prefix (folder). This is defined in the Resource field.
Allow a Specific Role to Read Objects with a Specific Tag
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/SomeRole"
},
"Action": ["s3:GetObject", "s3:GetObjectVersion"],
"Resource": "arn:aws:s3:::compacompila-website/*",
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/environment": "production"
}
}
}This policy allows the role arn:aws:iam::111122223333:role/SomeRole to read objects and their versions from the bucket named compacompila-website only if these objects have the tag environment with the value production.
Allow a Specific Role to Create Objects with a Specific Tag
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/SomeRole"
},
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::compacompila-website/*",
"Condition": {
"StringEquals": {
"s3:RequestObjectTag/departmanet": "Finance"
}
}
}This policy allows the role arn:aws:iam::111122223333:role/SomeRole to create objects in the bucket named compacompila-website, only if these objects have the tag department with the value Finance.
Deny All Actions Unless Accessed Via HTTPS
{
"Effect": "Deny",
"Principal": "*",
"Action": ["s3:*"],
"Resource": [
"arn:aws:s3:::compacompila-website/*",
"arn:aws:s3:::compacompila-website"
],
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}This policy denies all actions on the S3 bucket compacompila-website if the request is not HTTPS.
In the
Resourcefield, the valuearn:aws:s3:::compacompila-websiteapplies to actions that are executed on the bucket itself, such ass3:ListBucket. However, the valuearn:aws:s3:::compacompila-website/*applies to actions that are executed on the objects within the bucket, such ass3:GetObject.
See you soon
That’s all for now regarding the fifth article in this series, where I’m providing a comprehensive guide to S3 buckets. In the next article, we’ll be discussing pre-signed URLs and their utility. See you then!
Related Content
- S3 Bucket Versioning: Advantages and Implications
- Lifecycle Policies in S3 Buckets
- S3 Storage Classes
- What Are S3 Buckets and What Are They For?
- Practical Application of CloudFront Functions