Amazon S3 Access Control - IAM Policies, Bucket Policies and ACLs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] there are a few ways that we can control access to our buckets and the objects that we store within our s3 buckets so in this lesson i'm going to walk you through i am policies bucket policies and access control lists and then in the next couple of lessons we'll do hands-on to see these in action as well so firstly we have policies created in the identity and access management service now these are identity based policies which means that they get associated with principles like users and roles so with an i am policy we're directly applying the permissions that we want to assign to a principal to that principle or we might be applying them to a group by attaching a policy to a group and then adding a user into the group we can specify what actions are allowed on what aws resources so we can say that you're allowed to perform specific actions on a specific bucket for example so with i am policies these are attached to users or groups or roles and remember with a group you attach the policy to the group and then you add the user to the group and they will get the permissions assigned to that permissions policy i am policies are written in json using the aws access policy language and the principal element is not required in the policy so when you see one of these json snippets of code if it doesn't have a principal element in it then that means that it could be an i am policy that's used for s3 rather than a bucket policy so next we have s3 bucket policies and these are resource-based policies so with a bucket policy you're attaching it directly to an s3 bucket they can only be attached to amazon s3 buckets and they also use the same access policy language so it's still json looks very much like the policies created at the identity level but it's on a resource instead so we might have an s3 bucket we apply our bucket policy to it and a bucket policy might look something like this so note that there is a principal element here which specifies the specific user we want to assign these permissions to there's also a resource and it specifies the bucket name and of course there's an action which in this case is two the effect is allowing the action is nes3 action so a wild card for s3 actions so in this case paul will be able to put an object into that s3 bucket because he's allowed through the resource-based policy lastly we have access control lists these are really a legacy access control mechanism that predates identity and access management aws generally recommends that you try and use bucket policies or i am policies rather than using acls they can be attached to a bucket or directly to an object so bucket policy is always at the bucket level whereas an acl can be specified at the object level as well there are limited options for grantees and permissions will see this in the hands-on it's not as powerful as using the access policy language so when might you use these different access control mechanisms you might use i am policies for the following use cases where you need to control access to aws services other than s3 because you can then specify whatever permissions you want to whatever aws service as well as the s3 bucket you have numerous s3 buckets each with different permissions requirements so that means you're centrally controlling access to lots of different buckets using a single im policy which is you know centralizing the management and hopefully simplifying it you might just prefer to keep access control policies in the iam environment rather than using resource-based policies which can be a bit harder to track so you might want to use bucket policies if you want a simple way to grant cross-account access to s3 without using iam roles you can do that quite easily in a bucket policy your i am policies might be reaching the size limits there is a limit on the size of an i am policy so that might force you to use a bucket policy or you might just prefer to keep your access control policies in the s3 environment and that could be down to separation of control within your organization it's important to understand the authorization process so let's work through the logic the decision will always start at a deny and then it evaluates the policies and looks for explicit denies if there is an explicit deny then that's the end the final decision is deny next if there isn't an explicit deny we look for any allows if there is an allow then the decision is to allow that's an explicit allow if there isn't one then the decision is deny so that's basically the process for how authorization works now in the next lesson we're going to look at access control lists in a hands-on and then we're going to look at i am policies and bucket policies in this lesson we're going to have a look at access control lists on amazon s3 in the s3 console i'm going to click on my bucket here dct cloud storage and under permissions we can see the access control list just a bit further down here now as you can see there's a warning telling me i can't actually enable public access because it's disabled at the bucket level so the first thing i want to do because what i want to do as a exercise in this lesson is actually enable public access for my objects so what i'll first need to do is unblock public access now let's just check the behavior at this stage let's go to one of our objects copy the url and then put it into a browser window and i get an access denied message and that's completely expected so what i need to do is go back up to my bucket level here choose permissions click on edit under block public access and deselect this option click on save and then confirm so now it's been confirmed if we just scroll down to access control list and let's edit the access control list now note that there's a few different options here for the grantees so a grantee is either the bucket owner everyone authenticated users so anyone with an aws account who has authenticated or the s3 log delivery group for storing log files so those are the only options and then we have list and read and so on so there's a few permissions and a few options for grantee it's not hugely powerful like a bucket policy or an identity and access management policy now this is the acl at the bucket level remember there's also an acl at the object level so i actually don't need to enable list access to my bucket to enable direct access to my object so in fact i'm going to leave this as it is let's click on objects choose one of my objects go to permissions and then edit here here i can enable read access for everyone that's public access for my object i have to click on a checkbox here to understand what the impact is of this change and then click on save now let's go back and refresh our screen this time i can see the object so it's now public now another way you can achieve the same outcome is you can select an object go to actions and make public click on make public and that's done so now if i go into this object what you'll be able to see under the permissions tab is that we've given read access exactly the same thing so just as with the other file we should now be able to access this one and we can see the image so that's how you work with acls now let's just go back up to our bucket level and permissions and another thing which is worth noting is the cross account access so let's click on edit and at the bottom here you can see access for other aws accounts this is a common use case for using an acl in this case you can add the grantee and you can enter the canonical id which is essentially a form of the account id and then give some basic permissions to anyone within that account so that's all i want to show you for this lesson one thing i am going to do is just go back up and put the block public access back on again and now the configuration of our bucket is back to the way it was at the beginning of the lesson hi guys in this lesson we're going to cover using bucket policies and user policies so user policies are the i am policies that we create and attach to our users now there are a couple of things that you're going to need to set up firstly you need a second user account i've got one called pull you can call this user whatever you want now that user will need management console access at this stage the user should not be in any groups so effectively that user does not have any permissions now i've logged in as that user into a private window and that means i'm logged into my main account with my own admin privileges in one window and then in a private window or incognito window i'm logged in as pool so paul at this stage should not have any access if you go into amazon s3 what we should see is this you don't have any permissions to list buckets so the user has no privileges to s3 at this point in time now we also want to add a couple of folders and some files to our bucket so i'm going to use the same bucket dct cloud storage what we're going to do we're going to create a folder this one's going to be called department just create the folder then we're going to create another one this one's going to be called confidential and then going to go into the confidential folder upload add files and i'm going to choose this file confidential report so you can just create your own documents and and call them whatever you want so mine's called confidential reports a word document i'm going to upload that file then close out of here back up a level choose the department folder upload add files and this time i'm going to choose this company goals pdf so that's the structure set up now let's have a look at the policies that we're going to use in your course download in the code directory amazon s3 you're going to have this file user policies and bucket policies and we've got some numbered items in here so the first one is we're going to attach a user policy to our user which allows that user to list buckets so the privilege is s3 colon list buckets and the resources any so that means any aws bucket that we have it's a star it's a wild card so what i'm going to simply do is copy this code here from the opening and the closing curly braces back in iam i'm going to choose my second user account mine's called pool and i'm going to add an inline policy click on the json tab remove the existing code and paste my new code in let's click on review i'm just going to call this pull inline and then let's create the policy now don't worry about this summary here we're going to see what privileges this does assign to pull so we've attached that policy let's go over to the other browser window where paul is logged in so now i'm back logged in as paul let's refresh my screen here and i can now list the buckets so you can see there's an access warning here of insufficient permissions all i have here is the permission to list the bucket so if i click on dct cloud storage i can't see any objects within the bucket i can only list that the bucket level so let's go to the next policy it says c root level bucket items user policy so what does this one do so here we have the list all my buckets and get bucket location privileges we then have the s3 list bucket which is an allow for a specific bucket name in this case it was dct policy test now i need to change that for my bucket so make sure you change this value here now the condition is that the string equals a prefix and a delimiter of slash so what this should do is allow us to see the items within the bucket so let's copy all of this code to our clipboards and then back logged in as my main user account i'm going to edit this policy click on json delete all the code and paste this in now remember i do need to change my bucket name here so back on s3 with my bucket selected i'm going to go to properties and arn i can copy that to my clipboard come back and i can paste that in so i can replace the entire arn here and let's save this policy now let's go back over to pool back logged in as pool i'm trying to look at the objects within my bucket here let's click on the refresh and you see that now i can actually see these objects can i download an object let's have a look and i get an access is denied what about going in and looking at items in confidential well now i don't have permissions so we're getting quite granular here in the permissions we're assigning to this user now let's move on to the next policy this is to view the department folder contents now what you may notice is we've got a lot of the permissions here that we had in the previous policy and then we have some additional permissions at the bottom here so here we have the list bucket we again need to replace our arn so let me paste my new arn in it also has to be back up here so make sure you do that make sure you change your arn and what this last policy statement here is going to do is allow us access to the department folder star so anything within the department folder so let's go and copy all of this code i'm again going to edit the policy click on json delete everything out paste this in just as a reminder make sure you've got the correct arn for your bucket and then let's review policy and save so back logged in as pool let's refresh but i'm trying to look in the confidential folder here and we didn't give those permissions so i'm not getting access let's come back up to the bucket level try department and we can see so we've now enabled this user to see right down to the objects within the department folder but as you saw before we haven't given any permissions for uploading or deleting objects yet so the next policy here is still a user policy and the first three of these sections are the same as before and then the very last one at the bottom here allows the s3 get object and s3 put object actions now i'm going to go to my previous policy copy this arn let's come down there's going to be multiple places we need to put this as you can see it's highlighted the three places so let's change in all three of these locations and be careful with the last one you want to keep the slash department star so that's it i should be able to copy this code let's again edit our policy go to json delete this out put our new code in review and save so back in the department folder let's now see if we can download our object and that works i can see my file downloading and i should also be able to upload objects because i gave the permission to put object so let's just choose any file and try and upload and that's also a success the last policy is a bucket policy and we need to use this in combination with policy to above now let's just copy our arn again so remember the arn up to the name of the bucket i'm going to copy that i'm going to paste it over the arn in my resource section of my bucket policy then we need to use user policy 2 so we need to go back up to policy 2 and i remember i didn't actually update this one in my file so i'm going to update my arn here as well copy this code we're going to edit paul's policy again paste that in and this will give the user the list level at the top of the bucket again so let's just save those changes if we come back to paul who's trying to look in the department folder and refresh we should find that soon we get denied access and there we go that took a couple of refreshes it can sometimes take a bit of time so what about at the bucket level here and yes we can see the objects at this level now what if we go into the confidential folder well here we certainly don't have permissions because we can only see at the level above so coming back to the code now we need to use the bucket policy and the bucket policy is going to allow the specific user so you're going to need to go and get the arn of your user which you can find inside the user account here just copy the arn to your clipboard and then paste that in so this principle will be allowed the action s3 star so nes3 action on the resource dct cloud storage so our bucket name and then the prefix is under a condition so the condition is limiting this access so nes free action but only on this prefix which is the confidential folder and then slash star which means the objects within the folder the slash star indicates that the privileges are assigned to the objects within the folder as well so let's copy all of this and now we're going to go and add a bucket policy so back in s3 i'm in my bucket here and under permissions let's scroll down a little way and click on edit next to bucket policy and we're going to paste our policy in and just in case you haven't updated your arn you can get it easily here as well you can copy it and then paste it in and make sure you've got the correct arn so let's save these changes come back to paul let's click on refresh and now we have our access again and we now have full permissions to the confidential folder only so that's how we work with user policies as well as bucket policies and as you can see we can actually use them together as well [Music] you

Info

Channel: Digital Cloud Training

Views: 4,930

Rating: undefined out of 5

Keywords: AWS, AWS Certification, Amazon Web Services, AWS Amazon, AWS Certified, AWS Training, AWS tutorial, Amazon AWS, What is AWS, Getting started with AWS, Amazon AWS tutorials, free aws, free aws tutorials, AWS Cloud, AWS Exam, AWS Practice Tests, Cloud Computing, Cloud Technology, AWS for beginners, Introduction to AWS, AWS Services, Amazon S3, Amazon S3 Access Control, amazon s3 tutorial, Amazon IAM policies, Amazon IAM Bucket Policies, ACLs, Amazon IAM, aws s3

Id: xFzJw6wJ8eY

Channel Id: undefined

Length: 19min 44sec (1184 seconds)

Published: Thu Aug 26 2021