Configuring S3 permissions and access controls
Sign up for FREE to access this course
Click the Sign Up button button below to create your free account and get instant access to this course. If you already have an account, simply click the Sign In button to get access.
It's important to ensure that only authorized users have access to your data. S3 allows you to set fine-grained permissions on individual objects and buckets, so you can control who can access your data and what actions they can perform. By default, all S3 resources (buckets and objects) are private. Meaning only the resource owner can access them.
The resource owner can give access to others through resource-based policies (attached to the resource) or user policies (or identity-based policies). Access control lists (ACLs) can also be used to grant basic read and write permissions to other AWS accounts. However, it is generally recommended to use policies rather than ACLs for access control.
Identity-based policies are policies that are attached to an identity (IAM user, group, or role). These policies specify the permissions that the identity has, such as the actions they can perform and the resources they can access. Identity-based policies can be managed (saved and managed in IAM) or inline (included directly in the identity's JSON policy document).
You will learn more about identity-based policies in our IAM section so this course will focus on resource-based policies.
Resource-based policies are policies that are attached to a resource (or an S3 object in this example) and specify who has access to the resource and what actions they can perform on it. These policies are inline only, meaning that they are defined directly within the resource's configuration and cannot be managed independently from the resource. Resource-based policies can be used to grant permissions to other AWS accounts or IAM users, groups, and roles within your account
Configuring Bucket Policies
To configure an S3 Bucket Policy, open the S3 Buckets dashboard then select the desired policy (in my case, myfirstbucket129).
Next, click the Permissions tab:
This page allows us to enable or disable public access:
If you want to enable public access to your S3 bucket, you can uncheck the Block all public access checkbox and click Save changes.
This does not mean that all objects are public. Instead, it makes it possible for some S3 objects to be set to public. If you wanted to make our aws.zip file public, we still cannot because of the bucket owner enforced setting setting is applied for Object Ownership:
Enable Object ACLs for Object Ownership
To change this, on the S3 Bucket permissions tab, scroll down to the Object Ownership section. Click Edit:
Next, we can enable ACLs and acknowledge that ACLs will be restored. Click Save changes.
Configuring Object ACLs
Now we can scroll down to the permissions section and grant Read permissions to Everyone by clicking the Edit button:
Before we make any changes, you will notice for the grantee Everyone there is list and read for Objects and Object ACL:
Let's explain the difference between these two:
This controls the grantee's (in this case, everyone's) access to the individual object. This will allow the object to be downloaded by everyone.
- Object ACL
This controls access to view or write to the specific Object ACL, which we would never want everyone to write to (which is why it isn't possible to select).
Add Read permissions to the ACL:
At the bottom you'll need to confirm that you want to grant access. Click the checkbox, then select Save changes:
Sign up to access the rest of this lesson
You must either log in or sign up to access this lesson.