Call Girls Bommasandra Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Multi account s3 presentation
1.
2. ● Object-file storage
● Stores data (objects) in “buckets” -- addressed by a
“prefix” or “key”
● Globally-unique namespace (All AWS customers)
● Buckets reside in regions
● Can store A LOT of data
● *Very complex permissions model
● Buckets cannot be moved
3. VERY easy to do the WRONG thing:
https://www.computing.co.uk/ctg/news/3026816/fedex-left-hundreds-of-thousands-of-personal-records-exposed-on-unsecured-s3-server
5. ● IAM is… IAM
● Bucket ACL
○ Defines the AWS Account that is allowed access to a
bucket
● Bucket Policy
○ IAM syntax -- this is a RESOURCE POLICY
● Object ACL
○ Defines the AWS Account that is permitted access to
the object itself
6. ● AWS resources “reside” in an account.
● Accessing resources in an account requires an IAM
principal (Role, User, Group).
● Buckets have ownership (the account it resides in)
● Objects have ownership (the account that PUT the object
into the bucket)
○ Account = Account that owns IAM Role/User/Group
that placed the object into the bucket
● Bucket and object ownership can be different!
7. ● If the bucket resides in the SAME account as the IAM
principal:
○ In *MOST cases: Simply add the S3 IAM permissions
in IAM -- DONE!
8. ● Source IAM needs to explicitly grant access
● Bucket itself needs to explicitly grant access
9. ● MyApp has s3:PutObject on the-bucket
● the-bucket allows MyApp s3:PutObject access
● MyApp successfully places myobj into the-bucket
Account BAccount A
MyApp
the-bucket
myobj
11. Account A
MyApp
Account B
the-bucket
myobj
Account C
MyOtherApp
● MyOtherApp’s IAM role permits access to myobj
● the-bucket allows MyOtherApp access to myobj
● ACCESS DENIED because myobj needs an ACL to allow
Account C access to it
12. Account B
the-bucket
myobj
Account C
MyOtherApp
● MyApp & MyOtherApp have sts:AssumeRole permissions to
S3Role
● S3Role has s3:PutObject on the-bucket
● MyApp assumes S3Role and then puts myobj in the-bucket
● MyOtherApp assumes S3Role to read from the-bucket
Account A
MyApp
S3Role
15. ● Dictionary with all your S3 buckets
○ Accounts and Region
● If cross-account, creates the IAM roles in the
bucket-owning account
○ AppName-SourceAccountNumber
● Grants the source app sts:AssumeRole permissions to
the destination role
● IMPORTANT: Need a client that is aware of this!
16.
17. ● Permissions follow the following verbs:
○ list
○ get
○ put
○ delete
● Bucket Level Permissions (List)
○ s3:ListBucket
○ s3:ListBucketVersions
○ *
19. ● NOT YET PRODUCTION READY
● OSS @
https://github.com/Netflix-Skunk
works/bucketsnake
● Docs:
https://netflix-skunkworks.github.
io/bucketsnake/
● Bucket Snake clients are in the
works
○ Sample Boto Code