More Related Content Similar to S3 Bucket Policies (20) S3 Bucket Policies4. Metadata
Configuration
Security
Data
Data read-only
~ 46 permissions to define S3 bucket access
s3:PutBucketCORS
s3:PutBucketVersioning
s3:PutBucketWebsite
s3:DeleteBucketWebsite
s3:GetLifecycleConfiguration
s3:PutLifecycleConfiguration
s3:PutReplicationConfiguration
s3:GetReplicationConfiguration
...
7. Who are
you?
What IP
do you
have?
Is this right time to
access me? Which parts of me
you can access?
What can you do
here?
Can you set
lifecycle here?
Are you able to
write content?
10. Use cases
● Prevent unauthorized access to your S3 resources
● Enables you to store application configs, secrets in S3 bucket
● Enables development for 3rd parties
● Ensure only users from corp network can access your S3 resources
● S3 static websites
● Enables fine-grained permissions inside bucket - one folder for public access,
another one for internal assets
● Improve your compliance level
14. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::corp-bucket/tools/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"125.10.15.0/16",
"125.12.36.95",
"10.0.0.0/24"
]
}
}
}
]
}
restricted access only to corp network
16. How to read that crazy stuff?!
Deny all S3 actions
on specified resource
IF
ip address IS NOT 125.x.x.x
17. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::corp-bucket/tools/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"125.10.15.0/16",
"125.12.36.95",
"10.0.0.0/24"
]
}
}
}
]
}
DENY
ALL S3
ACTIONS
ON SPECIFIED RESOURCE
IF
IP ADDRESS IS NOT
125.x.x.x, OR …OR ...
18. "Condition" : {
"DateGreaterThan" : {
"aws:CurrentTime" : "2016-02-09T12:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime" : "2016-02-09T15:00:00Z"
},
"IpAddress" : {
"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]
}
}
Limited 3rd party bucket access
IP address AND specific time range
19. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-corp-bucket/finance/*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": true
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-corp-bucket/public/*"
}
]
}
require MFA for sensitive data access
folder /public is accessible via internet