AWS S3 Security

·

2 min read

Hello there, moving on with out AWS SAA series, let's look at the security part of the S3 service.

The S3 service is private by default.The only identity that has any initial access to an S3 bucket is the account root user of the account which owns that bucket.

Any other identity has to be granted permission on that bucket explicitly

The first way of doing that is using an S3 bucket policy

An S3 bucket policy is a resource policy.

A resource policy is like an identity policy. But is attached to resources instead of identities.

– Provides a resource perspective on permissions

The difference b/w identity policy and resource policy

  • Identity policy determines what the identity can access.

  • Resource policy determines who can access that resource?

Identity policies can be attached to identities in one’s own account, can only control security in one’s own acct. No way of giving an identity in another account access to an S3 bucket

Different Uses of Bucket (Resource) Policies

Resource policies can allow identities from same or different account access over S3 buckets because the policy is attached to the resource and it can reference any other identities from same/different account

Another benefit: Can allow/deny anonymous principals(ones that are not auth. by AWS)

They can be used to block specific IP Addresses from accessing objects

In a bucket policy statement, there is a principal component. This is a way to differentiate an identity policy from a resource policy

Bucket policies can be used to allow or deny access from specific ip addresses

Bucket policy can be used to block access to a specific folder or prefix inside an S3 Bucket

ACLs

ACLs can be used to control access to subresources.

They are a legacy way of providing access. It is not recommended by AWS.
They have simple and inflexible permissions

It cannot be applied on a bunch of objects

Some important pointers – When to use identity policy versus bucket policy (resource policy)

Use identity policies if you want to provide access to multiple resources

If you want to control access from a single place like IAM, use identity policy

Use Resource policy - If you want to control access for a single product like S3

Use bucket(i.e resource) policy if you want to grant anonymous or cross-account access

Did you find this article valuable?

Support Jaison by becoming a sponsor. Any amount is appreciated!