We studied about the basics of S3 in the last tutorial. In this article we will see how to set permissions for a bucket in S3. To setup permissions in S3 we can use 2 options
- Bucket Policies
- ACL(Access control Lists)
Bucket policies
As we saw in last tutorial anyone cannot access our S3 objects there is permission denied page when we try to access it over the internet. To provide public access to the objects in the bucket we need to set a bucket policy which explicitly allows some objects to be visible over the internet. Let us checkout a demo policy so that we can see how we can setup a bucket policy.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"PublicRead",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
}
]
}
Bucket policies are JSON based policies. Lets study what each key means.
Version - The policy Version defines the version of the policy language
Statement - This defines the all the things that are defined using the policy language defined in version.
Sid - The Sid or statement-ID is an identifier that you provide for the policy statement.
Effect - It has two values Allow/Deny it tells us whether this statement allows certain things or Deny access to anyone.
Prinicipal - Principal specifies the user, account, service, or other entity that is allowed or denied access to a resource in AWS S3 bucket.
Action - This defined what actions we are limiting t=in the policy statement.
Resource - Defines the bucket and objects on which this policy works.
You can add multiple statements in a policy and this will define who can access our S3 bucket.
ACL(Access control Lists)
ACL defines which AWS accounts or groups are granted access and the type of access granted to these accounts. When a request is received against a resource, Amazon S3 checks the corresponding ACL to verify that the requester has the necessary access permissions. ACL are rarely used and a bit complex so let us leave them for now as everything that an ACL can do can be done via bucket policy or IAM permissions but if you want to know more about them I've attached a link to the documentation.
In the next tutorial we will setup some S3 policies and see how it affects the buckets.
Top comments (0)