What's the alternatives to keep my s3 buckets secure in AWS?

Question

Currently, I have an s3 bucket called stackoverflow2017 with some files:

And, the ACL is configured as follow:

As you can see the bucket is private and even my own account won't be able to access it.

I can set a policy to the bucket as follow:

$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer

But, I want to know other alternatives.

Question: What are the alternatives and best practices of course for granting access to developers, applications, Etc?

Answer 1

There are several ways to keep secure your buckets in s3, I can list these four Methods for applying permissions:

• IAM policies
• Bucket policies
• Access control lists (ACLs)
• Query string authentication / URL-based access

The list above follows a Permission Hierarchy the first one is the permission with more hierarchy and the last one will be overridden if of one of the previous permissions is present in your security configuration.

Reference: How to secure an Amazon S3 Bucket

IAM policies are used to grant access to users, groups, or roles — which are applied to other resources. If a user or an AWS resource (e.g., specific set of EC2 instances, Lambda function, another account, etc.) needs to access one or more buckets, this is the way to go. It also helps ensure that you’re applying the principle of least privilege and only granting the permissions necessary.

Bucket policies apply to the bucket and the keys within that bucket. If the permissions you need to grant center around the data, bucket policies are the simplest way to accomplish that. This is especially useful for when your bucket is enabled as a static website. You can use a bucket policy to make everything in the bucket read-only.

Access control lists are hiding underneath the covers for all permissions methods. ACLs are a fine-grained control that allow you to make exceptions to broader tools (like bucket and IAM policies) as needed. In my experience you’ll rarely need to tweak specific ACLs but the ability is there and it makes sense in some application scenarios depending on your bucket/key strategy.

Query string authentication and URL-based access are hidden gems in Amazon S3. These methods allow you to grant permissions based on a specific URL. There are two common patterns for using this type of authentication;

• Allowing someone or something to upload a key to your bucket
• Providing temporary access to a specific key

This is a great method of securing providing one-time access to your Amazon S3 buckets.

---

Alternatives for restricting access to your s3 resources

1. Set IAM Policies either to groups or users.

This approach allows you to set an IAM policy to a group or user, you can do that either via CLI, API calls or through the AWS Console.

• Console

IAM User

Click on link developer - press on button Add permissions:

IAM Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1515865413837",
      "Action": [
        "s3:ListBucket",
        "s3:ListObjects"
      ],
      "Effect": "Allow", // Can be Denied
      "Resource": "arn:aws:s3:::stackoverflow2017"
    }
  ]
}

That Policy S3PolicyForDeveloper grants to the user developer the permissions for Listing Buckets and Objects within the bucket stackoverflow2017.

For setting policies to groups follow the same steps on Group list.

• Command Line Interface (CLI)

The following command shows how to assign an IAM policy to an IAM user. Basically, will create a new IAM Policy called S3PolicyForDeveloper and immediately will attach it to the IAM user.

$ aws iam put-user-policy --user-name developer --policy-name S3PolicyForDeveloper --policy-document file:///policies/S3PolicyForDeveloper.json

On the other hand, imagine you want to attach an existing IAM policy to an IAM User, for doing that execute the following command:

$ aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --user-name developer

The following command shows how to assign an IAM policy to an IAM group. Basically, will create a new IAM Policy called S3PolicyForDeveloper and immediately will attach it to the IAM group.

$ aws iam put-group-policy --group-name developers --policy-document file:///policies/S3PolicyForDeveloper.json --policy-name S3PolicyForDeveloper

For attaching IAM Policy to groups, execute the following command:

$ aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/S3PolicyForDeveloper --group-name developers

2. Set Bucket Policies to the Buckets.

A bucket policy allows you to grant specific permissions to specific Buckets. For example, you could grant access to your bucket either to a specific set of IP addresses, to a specific account in AWS, Etc.

This is a policy for bucket stackoverflow2017:

{
    "Version": "2012-10-17",
    "Id": "Policy1515865416346",
    "Statement": [
        {
            "Sid": "Stmt1515865413837",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::stackoverflow2017/*",
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "192.168.1.1"
                }
            }
        }
    ]
}

As you can see, the resource key contains the ARN of bucket stackoverflow2017 plus /* to indicate this policy is applied to the bucket's content, the Condition key contains the Policy Conditions, in this case, this bucket could be read only from IP address 192.168.1.1. The Principal key contains the user, account, service, or other entity that is allowed or denied access to a resource, in this case to the specified bucket.

{
    "Version": "2012-10-17",
    "Id": "Policy1515865416346",
    "Statement": [
        {
            "Sid": "Stmt1515865413837",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:root"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::stackoverflow2017/*"
        },
        {
            "Sid": "Stmt1515865413838",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:root"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::stackoverflow2017"
        }
    ]
}

The policy above allows to list/read and put new objects in the bucket stackoverflow2017 if only if the account doing the operation is 123456789.

This approach allows you to set a Bucket policy to a bucket, you can do that either via CLI, API calls or through the AWS Console.

• Console

Click on bucket stackoverflow2017 - click on tab Permissions - Click button Bucket Policy.

Paste the Bucket policy or you can generate it using the AWS Policy Generator.

• Command Line Interface (CLI)

The command bellow puts a new bucket policy to the bucket stackoverflow2017 using the file Stackoverflow2017.json

$ aws s3api put-bucket-policy --bucket stackoverflow2017 --policy file://Stackoverflow2017.json

Resources

• AWS Identity and Access Management » API Reference
• CLI for IAM Service
• IAM Policies
• Bucket Policies
• AWS Policy Generator
• Amazon Resource Names (ARNs) and AWS Service Namespaces
• Specifying Conditions in a Policy
• IAM JSON Policy Elements: Principal