ACL and Policy. Set ACL and Policy on S3 storage with S3cmd

ACL

Policy

Examples of ACL and Policy requests

ACL

Access Control List is a list of permissions that specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. 

Note that the Storage owner is responsible for configuring and managing the ACL.

To manage our S3 storage, you can use the commands from the S3cmd.

How ACL looks like

The command to configure the ACL is as follows:

s3cmd setacl s3://my_bucket/cat.jpg --acl-public 

Here is an example of setting a public ACL (--acl public) on a specific object (cat.jpg) in the bucket (my_bucket).

After applying the command, this object will be available to anyone by

https://s-ed1.cloud.gcore.lu/my_bucket/cat.jpg

 

ACL on objects allows you to configure a wide range of actions:

Actions Description

--acl-public

To set a public ACL on an object.
--acl-private To set a private ACL on an object.
--acl-grant=full-control To grant full access to bucket management and regulation.
--acl-grant=read To allow listing objects in a bucket.
--acl-grant=read_acp To allow reading the ACL.
--acl-grant=write To allow recording, overwriting, and deleting objects.
--acl-grant=write_acp

To allow writing ACLs.

 

 

Policy 

For a more detailed configuration of access rights to files and buckets, use the policy. 

Use it to regulate not only certain actions but also access specific directories in the bucket for specific users/groups/sources. 

To create a policy, use the json format.

The maximum request size is 20 KB.

 

What is Policy

The json file specifies valid actions for files or buckets, for more accurate request management, the actions can be supplemented with conditions.

Note! All the necessary actions, conditions, resource types are described in the official documentation.

Here is the example of an access policy that denies all users access to an operation ("s3:GetObject") in the bucket directory ("Resource": arn:aws:s3::: my_bucket/secret/*"), but allows access to the bucket ("Resource": "arn:aws:s3:::my_bucket/*"), which is one level higher.

{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/secret/*"
}
]
}

After the json file is created, the access policy is applied to the file or bucket.

s3cmd setpolicy policy_name.json s3://my_bucket/ 

 

Examples of ACL and Policy requests

How to open a file for download

Here is the example of setting a public acl (--acl public) on a specific object (cat.jpg) in the bucket (my_bucket):

s3cmd setacl s3://my_bucket/cat.jpg --acl-public 

After applying this command, the object cat.jpg will be available to anyone by

https://s-ed1.cloud.gcore.lu/my_bucket/cat.jpg

 

How to make a file in a bucket public

Here is the example of a json file where access to objects is allowed for downloading ("Action": "s3:GetObject") for all ("Principal":"*") in the bucket ("Resource":"arn:aws: s3::: my_bucket/*").

Please, note!  This access policy allows you to get files by a direct link but does not allow to list files in the bucket.

{ 
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*"
}
]
}

Applying the access policy to the bucket:

s3cmd setpolicy policy_name.json s3://my_bucket/

 

How to hide a directory

Here is the example of a json file that denies all users access to the operation ("s3:GetObject") in the bucket directory ("Resource": arn:aws:s3::: my_bucket/secret/*"), but allows access to the bucket ("Resource": "arn:aws:s3:::my_bucket/*") as a whole:

{
"Version": "2012-10-17",
"Id": "S3PolicyId1", [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*"
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/secret/*"
}
]
}

Applying the access policy to the bucket:

s3cmd setpolicy policy_name.json s3://my_bucket/

 

How to allow requests from a single IP

Here is the example of a json file that allows requests to the storage from the specified IP ("IPAddress": {"aws:sourceIP": "54.240.143.0/24"}):

{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement":
[
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::",
"arn:aws:s3:::/*"
],
"Condition":
{
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"}
}
}
]
}

Applying the access policy to the bucket:

s3cmd setpolicy policy_name.json s3://my_bucket/

 

How to allow requests from a particular site

Here is the example of a json file that only allows referrers from sites specified in the access policy ("StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}):

{
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":
[
{
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::/*",
"Condition":
{
"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
}
}
]
}

Applying the access policy to the bucket:

s3cmd setpolicy policy_name.json s3://my_bucket/

How to list a bucket

Here is an example of a command that allows any anonymous users to list files in a bucket, but does not allow them to read/write these files:

s3cmd setacl s3://my_bucket/cat.jpg --acl-grant=read 

 

Grant a user access to a bucket

Here is an example of a json file that grants a user access to a bucket.

  • 4702-test  is a storage name in your personal account.
  • my_bucket is a bucket to which access is granted.   
{ 
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal": {"AWS":["arn:aws:iam:::user/4702-test"]},
"Action":["s3:GetObject","s3:ListBucket"],
"Resource":["arn:aws:s3:::my_bucket/*""arn:aws:s3:::my_bucket"]
}
]
} 

Applying the access policy to the bucket:

s3cmd setpolicy policy_name.json s3://my_bucket/ 
Was this article helpful?
Recently viewed articles