DEV Community

Samuel I. G.
Samuel I. G.

Posted on

Policies and Permissions in Amazon S3

According to AWS documentation; Amazon Simple Storage Service (Amazon S3) is an object storage service that offers “industry-leading scalability, data availability, security, and performance”. Amazon S3 can store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, and many others.

Amazon S3 Bucket

Data are kept as objects within buckets using the object storage service Amazon S3. A file and any associated metadata are both considered objects. Every object in Amazon S3 is stored in a bucket. Before you can store data in Amazon S3, you must create a bucket.

Simply create a bucket, give it a name, and choose an AWS Region in order to store your data in Amazon S3. Then, you upload your data as Amazon S3 objects to that bucket. If you want to learn more about creating a bucket on Amazon Simple Storage Service you can visit the documentation page.

Policies and Permissions

You can control who has access to particular Amazon S3 storage resources using an object called an S3 bucket policy. You can establish permissions for each resource to permit or prohibit a principal’s requested actions (a user or role). You should set a policy granting the necessary permissions to the primary roles of the data forwarder when you create a new Amazon S3 bucket. Following are the elements of a policy:

Resources — You can grant or deny rights for the following Amazon S3 resources: buckets, objects, access points, and jobs. The resource is identified by its Amazon Resource Name (ARN) in a policy.

Actions — Amazon S3 offers a variety of actions for each resource. By employing action keywords, you can specify which resource operations you’ll approve (or reject).

Effect — What will happen when the user requests a particular action — this might either be allow or deny.

Principal — the user or account with access to the resources and actions listed in the statement. The user, account, service, or other entity that is granted this permission is the principal in a bucket policy.

Condition — Conditions can be added to an Amazon S3 access policy using both AWS-wide and Amazon S3-specific keys.

Example of AWS S3 Policy and Permissions

You can see the effect, principal, action, and resource parts in the following example bucket policy. That policy grants the s3:GetObject, s3:PutObject, and s3:DeleteObject permissions on the “bucket1” bucket to User1, who is a user in account .

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::Account-ID:user/User1"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::bucket1/*"
        }
    ]    

}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)