In my previous article (Keep S3 Traffic Private with your VPC in AWS) I talked about the importance of keeping S3 traffic within the AWS network and not pushing this data though your NAT or IGW by using a VPC Endpoint.
This is a great first step but the next step is how do you secure your buckets? How do you control who has access to these buckets and S3 resources?
You can do this by creating Access Control List (ACL) and Identity Access Management (IAM) policy’s. With ACL's and IAM’s it gives you the option to explicitly grant access to AWS resources. By default, it is set to deny all, but within your IAM policy’s this is where you define what access a user has and to what resources. In this S3 Bucket example there are two concepts to consider when setting things up:
- Bucket level Access Control List (ACL) policy – Creating a policy at the bucket level allows you to explicitly allow specific AWS accounts, AWS users etc.
- User Policy – This is a policy that you create and attach to specific users to grant or deny access to specific buckets or folders with in the bucket.
One thing to consider is to choose one of the two options when setting up these policies. If you mix the two you, it will be overly complicated to manage and may cause unpredictable results. Below is an example of a policy that performs the following:
- Restricts access to a specific bucket.
- Allows the user to upload, download and delete objects within that defined bucket.
Note: If you do not specify a bucket and/or folder name in the policy, it will allow the user to see ALL S3 buckets in your account and grant full access to that specific user!
In order to utilize this new policy you will need to first create this policy and then go to that specific IAM user and attach this new policy to specific user. Once the policy has been attached you can then use the generated Secret / Private key to connect to S3 using Cloudberry or AWS Tools to test out the functionality of this new policy and ensure that it fits your security needs.