Amazon S3 bucket policies starter & overview.

1. S3 Bucket Policies
Jiri Pihik
Identity Management, Automation

2. Concepts

3. Users
Instances
Services
Metadata
Configuration
Security
Data
Data read-only
S3 bucket layered permissions
Bucket policy

4. Metadata
Configuration
Security
Data
Data read-only
~ 46 permissions to define S3 bucket access
s3:PutBucketCORS
s3:PutBucketVersioning
s3:PutBucketWebsite
s3:DeleteBucketWebsite
s3:GetLifecycleConfiguration
s3:PutLifecycleConfiguration
s3:PutReplicationConfiguration
s3:GetReplicationConfiguration
...

6. Who are
you?
What IP
do you
have?
Is this right time to
access me?

7. Who are
you?
What IP
do you
have?
Is this right time to
access me? Which parts of me
you can access?
What can you do
here?
Can you set
lifecycle here?
Are you able to
write content?

8. Bucket access logging
my-s3-log-system

9. Example log
0b0fbd7ab5d1058f35535fec64595ed51f7fa26ef77ac8e5d88230898be92e2f my-corp-
bucket [21/Jan/2016:12:47:32 +0000] 125.12.36.95 arn:aws:sts::012345678912:
assumed-role/my-role/pihik 9E15D396E0071675 REST.PUT.OBJECT report.html
"PUT /report.html HTTP/1.1" 200 - - 5134 457 6 "-" "aws-cli/1.9.21 Python/2.7.11
Windows/7 botocore/1.3.21" -
aws-cli s3 upload object

10. Use cases
● Prevent unauthorized access to your S3 resources
● Enables you to store application configs, secrets in S3 bucket
● Enables development for 3rd parties
● Ensure only users from corp network can access your S3 resources
● S3 static websites
● Enables fine-grained permissions inside bucket - one folder for public access,
another one for internal assets
● Improve your compliance level

11. DEMO!

12. Example bucket policies

13. {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-corp-bucket/reports/*.pdf",
"Condition": {
"IpAddress": {
"aws:SourceIp": "108.72.209.118"
}
}
}
]
}
3rd party vendor access

14. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::corp-bucket/tools/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"125.10.15.0/16",
"125.12.36.95",
"10.0.0.0/24"
]
}
}
}
]
}
restricted access only to corp network

15. How to read that crazy stuff?!

16. How to read that crazy stuff?!
Deny all S3 actions
on specified resource
IF
ip address IS NOT 125.x.x.x

17. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::corp-bucket/tools/*",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"125.10.15.0/16",
"125.12.36.95",
"10.0.0.0/24"
]
}
}
}
]
}
DENY
ALL S3
ACTIONS
ON SPECIFIED RESOURCE
IF
IP ADDRESS IS NOT
125.x.x.x, OR …OR ...

18. "Condition" : {
"DateGreaterThan" : {
"aws:CurrentTime" : "2016-02-09T12:00:00Z"
},
"DateLessThan": {
"aws:CurrentTime" : "2016-02-09T15:00:00Z"
},
"IpAddress" : {
"aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]
}
}
Limited 3rd party bucket access
IP address AND specific time range

19. {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-corp-bucket/finance/*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": true
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-corp-bucket/public/*"
}
]
}
require MFA for sensitive data access
folder /public is accessible via internet