Bookmark

Implementing Access Control: S3 Bucket Policies Using AWS CLI

Implementing Access Control: S3 Bucket Policies Using AWS CLI

Managing access control for Amazon S3 buckets is essential to ensure the security of our resources. Using bucket policies, we can define precise rules that regulate access to buckets and their objects. In this guide, we will demonstrate how to apply S3 bucket policies using the AWS CLI with two examples:

  1. Allowing access from a specific IP address.
  2. Restricting access to specific objects from a designated domain.

Before we begin, ensure that you have:

  • AWS CLI Installed and Configured: Follow the AWS CLI installation guide to install the CLI, and configure it using aws configure.
  • Sufficient Permissions: Ensure you have the necessary permissions to modify S3 bucket policies in your AWS account.

Step 1: Create and Apply an IP-Based Policy

The first policy will allow access to an S3 bucket only from a specific IP address. This is helpful when you want to restrict access to trusted IP addresses.

Create the policy.json File

We can use the following JSON structure to allow access from the IP address 101.51.1.76:

json
{
    "Version": "2012-10-17",
    "Id": "Allow specific IP",
    "Statement": [
        {
            "Sid": "IPAllow",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::my-s3-bucket/*"
            ],
            "Condition": {
                "IpAddress": {
                    "aws:SourceIp": "101.51.1.76"
                }
            }
        }
    ]
}
  • Effect: This policy allows access (Allow) to the specified bucket for all S3 actions (s3:*).
  • Principal: The asterisk (*) means the policy applies to any user.
  • Condition: Limits access to requests from the IP address 101.51.1.76.

Apply the policy.json Using AWS CLI

After creating the policy.json file, we can apply the policy to our bucket by running the following AWS CLI command:

bash
aws s3api put-bucket-policy --bucket my-s3-bucket --policy file://policy.json

This command applies the policy defined in policy.json to the my-s3-bucket.


Step 2: Create and Apply a Domain-Based Policy

Next, we’ll create a policy that restricts access to certain types of objects (such as images) based on the referring domain. This is useful when you want to ensure that only requests from a specific domain can access the objects in your S3 bucket.

Create the domain_policy.json File

Here’s an example of a policy that restricts access to .jpg files in the bucket to requests originating from the domain example.com:

json
{
  "Version": "2012-10-17",
  "Id": "Allow example.com to access images",
  "Statement": [
    {
      "Sid": "Allow only GET requests from specific domain",
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::my-s3-bucket/*.jpg",
      "Condition": {
        "StringLike": {
          "aws:Referer": ["https://example.com/*"]
        }
      }
    }
  ]
}
  • Action: Allows only s3:GetObject operations, meaning only object retrieval is allowed.
  • Condition: Limits access to requests containing a Referer header that matches https://example.com/*.

Apply the domain_policy.json Using AWS CLI

After saving the policy to domain_policy.json, we can apply it using the AWS CLI:

bash
aws s3api put-bucket-policy --bucket my-s3-bucket --policy file://domain_policy.json

This command applies the domain-based policy to restrict .jpg file access to requests from example.com.


Step 3: Verify Bucket Policies

To ensure the policies have been applied correctly, we can retrieve and view the bucket's current policy using the command:

bash
aws s3api get-bucket-policy --bucket my-s3-bucket

This will return the current bucket policy for review.


Summary

By using the AWS CLI, we can easily define and enforce fine-grained access controls on S3 buckets. In this article, we covered:

  1. An IP-based policy that restricts access to a specific IP address.
  2. A domain-based policy that limits access to certain objects from a specific domain.

These policies provide powerful tools for enhancing security, ensuring that your S3 resources are only accessible under defined conditions. Feel free to adapt these examples to meet the security needs of your own environment.

Post a Comment

Post a Comment