Table of contents
In part one of this S3 blog series, we got to know about What is S3 and what is the Bucket and its objects,in this blog we are going to explain to you the Security in S3 and the Policies in S3, which is also an imperative part of AWS S3, so let’s deep dive into this.
When we store data in S3 that needs to be secured and many organizations have that compliance policy as well, so in AWS S3, the buckets are private by default whenever you create a bucket in S3 with default settings you get an option “Block Public access setting for this bucket”, and this option is selected by default while creation of bucket, which means that this bucket is strictly private and if this option is enabled then Bucket will never be public, this option is created to prevent company data leaks, and that is how the private bucket is created means only the user who created that bucket can upload data and information in that bucket, and only that particular user can view it because it is a private bucket.
Before we move towards policies, you have to uncheck the “Block Public access setting for this bucket” option first then you will be able to create a public bucket and attach policies to it.
Now if you see the status or access of the bucket in the bucket properties section you will see that “Objects can be Public” which bucket is not fully public to make it public you have to attach policies to it.
Now, there are different types of policies you can apply to the S3 bucket,
IAM Policy:
IAM Policy you apply to the AWS Account level using AWS IAM service, whether the particular IAM user within your AWS account is allowed to access the S3 bucket or not, you create an IAM policy for that attached it IAM Group or IAM user directly in AWS IAM service. Also, you can create and attach policies to the AWS IAM role, which helps particular AWS Service to access the AWS S3 Service in your Account. (e.g: if you have an ECa2 instance in AWS, and from that instance you want to access a particular S3 bucket, you can create an IAM Role with an S3 bucket access policy, and that IAM Role you have to attach to your EC2 instance, and after that you will able to access particular S3 bucket from that EC2 instance securely).
Bucket Policies:
A bucket policy is a resource-based policy that you can attach to the S3 bucket directly. The Bucket Policy helps you make S3 Bucket Public. Only the bucket owner can attach the bucket policies to the particular bucket and these are also JSON-based policies with allow or deny rules. With the help of bucket policies, you can allow cross-account access to the S3 bucket, or you can make objects inside that bucket public which is very helpful when you host a static website on AWS.
Here is an example of the bucket policy of AWS, which will allow Get Object permission to vinaydemo3bucket means anyone from outside the network or internet can access the object of this bucket, but they can only access it no one can edit it or delete the object inside this vinydemo3bucket, because there is only specific Get object permission is allowed in this bucket and only Bucket owner can edit or delete it.
{
"Id": "Policy1699874245552",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1699874187229",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::vinaydemo3bucket/*",
"Principal": "*"
}
]
}
Once this policy is attached to the bucket, you will see the S3 Bucket access “Public”, now anyone on the internet now view the object inside it.
Encryption:
All AWS S3 buckets have encryption configured by default, and objects are automatically encrypted using server-side encryption with AWS S3-managed keys.
So it’s a quick wrap on Part 2 on AWS S3, inside this blog we try to explain the security aspect of AWS S3 which is one of the important parts of it. Thank You!! – Nikita and Vinay Signing Off
for more details Click Here for the AWS Official Reference Document and Checkout Protecting data with encryption as well