Hello AWS fan! You have recently created your first AWS S3 bucket and now you want to configure S3 bucket policy to make it secure. How can I do it? What are policies? If you are struggling with the same questions then here is an article that will help you to get started with Bucket Policy in detail.
What Is Bucket policy?
Before understanding what is Bucket Policy lets understand the problem which we are trying to solve using buckets policy, although it sounds strange but here goes…
S3 bucket is something like drive or folder where objects (files) will be stored. The problem comes when there should be some restriction on who or what should do uploads inside your bucket(especially if your files should not be visible for some specific people/users).
For example, if you have some confidential reports on your S3 bucket and at the same time you want any of your AWS account holder to be able to download those files then without using Bucket Policies it will not be possible. You can go with option of individual user access policy or use IAM policies but that’s it. There will be no restriction from uploading stuff inside your S3 bucket which you don’t want. This is where Bucket Policy comes in picture and helps us achieve the desired result.
Bucket Policy: A collection of statements, evaluated one after another in order of appearance, that describe what a requester is allowed to do on a bucket and with each object contained in that bucket. It applies to a requester who has been authenticated to access the bucket in question.
In other words, Bucket policies are used to determine which user or service is allowed to access or perform actions on specific buckets and objects within that bucket. In this way users can have fine grained control over retrieval of information from an AWS S3 Bucket
What Is Allowed By Default?
By default user is allowed to perform following actions on all objects contained in a bucket:
- Delete object
- Create object
- List all the objects contained inside the bucket
- Get object metadata
- Put objects inside the bucket
- Delete all objects that he/she has uploaded inside the bucket.
So far so good. We have seen all what is allowed by default but where and how these permissions are configured?
You might be wondering, I am an AWS user and I created my S3 Bucket so where do these defaults come from/who configured them for me? All of this has been done by AWS itself while creating your bucket during its creation time. When you create a new bucket AWS verifies that it contains correct information and then configures some or all of the above mentioned actions to allow YOUR-SELF(Owner) to perform all of them against that bucket. By default owner will be able to perform these actions on s3 objects however if required permissions can be expanded for specific use cases.
Who Can Configure these Permissions?
Bucket Policy attached to a bucket can be configured by “Owner” of that bucket. This can be changed later if required. Owner can also update policy but cannot delete it.
When you create the S3 Bucket AWS assigns policy with some default permissions If an IAM user is associated with bucket then he/she will have full permission on files inside the s3bucket irrespective of his/her role If no one is associated then Owner will have all permissions.
What can you do with Bucket Policy?
You can allow or deny specific actions against s3 bucket and its objects. For example if we want to create a policy which only allows uploading of files and nothing else (no delete,list etc) then we can do that by specifying this in the policy.
How S3 Bucket Policies Work Under the Hood:
Policies work under the hood by configuration Access Control rules for buckets/objects inside that bucket. Each time when user tries to access an object AWS evaluates all built-in ACLs (if any) and then combined with configured policies permissions are granted. If no special permission is found then default owner’s policy is applied.
Bucket policies are attached to bucket while their access control rules are applied on objects inside the s3bucket. You do not need to specify bucket policy for each object rather you can apply default permissions at the bucket level and then override it with your custom policy when required.
Let’s start with the steps to add a bucket policy:
- Login to AWS Management Console and search S3.
- Create a bucket and give it a bucket name.
You can follow the steps given in Create S3 Bucket and Objects to create a bucket.
- In the S3 dashboard, click and access the bucket.
You will enter into your bucket dashboard and now you are ready to make changes and add bucket policies.
- Click on Permissions.
5. You can see Bucket Policy. Click on Edit.
Now, you have two options either you can write your bucket policy in the editor as a JSON file or you can simply generate policy using Policy Generator. Here we will continue with generating a policy.
- Click on Policy Generator.
A new tab AWS Policy Generator will open.
- Now you are required to configure some settings for generating policies. Select Policy Type as S3 Bucket Policy.
- Choose Allow or Deny in Effect according to how you want to give users permission to upload encrypted files or not.
10. Select Actions from the drop-down list you want to choose and apply to the bucket or you can select All Actions.
- In Amazon Resource Name (ARN), enter the Bucket name to which the policy needs to be applied. You can go back to the previous tab to copy the Bucket name. Add /* after the bucket name to select all the objects and subfolders.
- Now, you can Add the Conditions (optional). (Based on this condition it will be decided either the access should be denied or not.)
You have successfully generated Bucket Policy. A Policy JSON Document will pop-up on the screen like this :
- You just need to copy the same to the Bucket Policy editor.
Click on Save Changes.
Congratulations! You have created your first Bucket Policy.
In this blog post, we’ve taken a deep dive into the intricacies of S3 Bucket Policy. You can create your own policy using these steps and you should be able to keep up with best practices for security in the cloud. If you have any questions or would like any help from our team, don’t hesitate to reach out!