Bucket Policies

Bucket Policies provides specific users, or all users, conditional and granular permissions for specific actions.

Policy conditions can be used to assign permissions for a range of objects that match the condition and can be used to automatically assign permissions to newly uploaded objects.

How access to resources is managed when using the S3 protocol is described in https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html and you can use the information as the basis for understanding and using S3 bucket policies in cegedim.cloud Object Storage Service.

This section provides basic information about the use of bucket policies.

Manage Bucket Policies

Bucket policies can be managed using aws s3api (other tools or SDK works too):

  • get-bucket-policy

  • put-bucket-policy

  • delete-bucket-policy

We use aws s3 and aws s3api command line tools from AWSCLIv2 on Linux.

${S3_ENDPOINT} and ${S3_PROFILE} are environment variables.

Create Bucket Policy

Create JSON file and configure your policy :

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "Grant permission to <access_key>",
            "Effect": "Allow",
            "Principal": ["<access_key>"],
            "Action": [ "s3:PutObject","s3:GetObject" ],
            "Resource":[ "bucket-test/*" ]
        }
    ]
}

The Principal element specifies the Object User Access Key that is allowed or denied access to a resource.

You can use a wildcard '*' to mean all Object Users.

Apply it to the bucket: bucket-test

aws s3api --endpoint-url=${S3_ENDPOINT} put-bucket-policy --bucket bucket-test --policy file://policy.json --profile ${S3_PROFILE}

Get Bucket Policy

aws s3api --endpoint-url=${S3_ENDPOINT} get-bucket-policy --bucket bucket-test --profile ${S3_PROFILE}

Delete Bucket Policy

aws s3api --endpoint-url=${S3_ENDPOINT} delete-bucket-policy --bucket bucket-test --profile ${S3_PROFILE}

Bucket Policy management scenarios

Grant bucket permissions to a user

{
    "Version": "2012-10-17",
    "Id": "S3PolicyId1",
    "Statement": [
        {
            "Sid": "Grant permission to user1",
            "Effect": "Allow",
            "Principal": ["<access_key>"],
            "Action": [ "s3:PutObject","s3:GetObject" ],
            "Resource":[ "arn:aws:s3:::mybucket/*" ]
        }
    ]
}

Grant read only bucket permissions to a user

{
  "Version": "2012-10-17",
  "Id": "s3ReadOnlyforUser",
  "Statement": [
    {
      "Sid": "Grant read permission to user1",
      "Effect": "Allow",
      "Principal": ["<access_key>"],
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::mybucket",
        "arn:aws:s3:::mybucket/*"
      ]
    }
  ]
}

Grant bucket permissions to all users (public access)

cegedim.cloud Object Storage Service is directly accessible from Internet.

If you grant public access to your Bucket or a subset of your Bucket, anyone can GET your objects.

For more information, please read Manage Bucket access.

Public bucket
{
    "Version": "2012-10-17",
    "Id": "S3PolicyId2",
    "Statement": [
        {
            "Sid": "Public Access to mybucket",
            "Effect": "Allow",
            "Principal": ["*"],
            "Action": [ "s3:GetObject" ],
            "Resource":[ "arn:aws:s3:::mybucket/*" ]
        }
    ]
}

Accessing Bucket via baseURL in a Web Browser

With public access, Bucket content can be accessed directly using a WEB browser.

The URL to access to a public Bucket follow this format: https://<object-store_name>.storage-[eb4|et1].cegedim.cloud/<bucket_name>

Example : https://cos-cegedimit-myit.storage-eb4.cegedim.cloud/my-bucket

Grant bucket permissions to all users (public access) to Objects under a specific prefix

cegedim.cloud Object Storage Service is directly accessible from Internet.

If you grant public access to your Bucket or a subset of your Bucket, anyone can GET your objects.

With the following policy, all objects in the bucket my-bucket and under the prefix public/ are publicly accessible:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"public-access-based-on-prefix",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::my-bucket/public/*"]
      }
  ]
}

Supported Policy Operations & Conditions

Supported bucket policy operations

Permissions for Object Operations

Permission keywordSupported S3 operations

s3:GetObject applies to latest version for a version-enabled bucket

GET Object, HEAD Object

s3:GetObjectVersion

GET Object, HEAD Object This permission supports requests that specify a version number

s3:PutObject

PUT Object, POST Object, Initiate Multipart Upload, Upload Part, Complete Multipart Upload PUT Object

s3:GetObjectAcl

GET Object ACL

s3:GetObjectVersionAcl

GET ACL (for a Specific Version of the Object)

s3:PutObjectAcl

PUT Object ACL

s3:PutObjectVersionAcl

PUT Object (for a Specific Version of the Object)

s3:DeleteObject

DELETE Object

s3:DeleteObjectVersion

DELETE Object (a Specific Version of the Object)

s3:ListMultipartUploadParts

List Parts

s3:AbortMultipartUpload

Abort Multipart Upload

Permissions for Bucket Operations

Permission keywordSupported S3 operations

s3:DeleteBucket

DELETE Bucket

s3:ListBucket

GET Bucket (List Objects), HEAD Bucket

s3:ListBucketVersions

GET Bucket Object versions

s3:GetLifecycleConfiguration

GET Bucket lifecycle

s3:PutLifecycleConfiguration

PUT Bucket lifecycle

Permissions for Bucket Sub-resource Operations

Permission keywordSupported S3 operations

s3:GetBucketAcl

GET Bucket acl

s3:PutBucketAcl

PUT Bucket acl

s3:GetBucketCORS

GET Bucket cors

s3:PutBucketCORS

PUT Bucket cors

s3:GetBucketVersioning

GET Bucket versioning

s3:PutBucketVersioning

PUT Bucket versioning

s3:GetBucketPolicy

GET Bucket policy

s3:DeleteBucketPolicy

DELETE Bucket policy

s3:PutBucketPolicy

PUT Bucket policy

Supported bucket policy conditions

The condition element is used to specify conditions that determine when a policy is in effect.

The following tables show the condition keys that are supported by cegedim.cloud Object Storage Service and that can be used in condition expressions.

Supported generic AWS condition keys

Key nameDescriptionApplicable operators

aws:CurrentTime

Used to check for date/time conditions

Date operator

aws:EpochTime

Used to check for date/time conditions using a date in epoch or UNIX time (see Date Condition Operators).

Date operator

aws:principalType

Used to check the type of principal (user, account, federated user, etc.) for the current request.

String operator

aws:SourceIp

Used to check the requester's IP address.

String operator

aws:UserAgent

Used to check the requester's client application.

String operator

aws:username

Used to check the requester's user name.

String operator

Supported S3-specific condition keys for object operations

Key nameDescriptionApplicable permissions

s3:x-amz-acl

Sets a condition to require specific access permissions when the user uploads an object.

s3:PutObject

s3:PutObjectAcl

s3:PutObjectVersionAcl

s3:x-amz-grant-permission

(for explicit permissions), where permission can be:read, write, read-acp, write-acp, full-control

Bucket owner can add conditions using these keys to require certain permissions.

s3:PutObject

s3:PutObjectAcl

s3:PutObjectVersionAcl

s3:x-amz-server-side-encryption

Requires the user to specify this header in the request.

s3:PutObject

s3:PutObjectAcl

s3:VersionId

Restrict the user to accessing data only for a specific version of the object

s3:PutObject

s3:PutObjectAcl

s3:DeleteObjectVersion

Supported S3-specific condition keys for bucket operations

Key nameDescriptionApplicable permissions

s3:x-amz-acl

Set a condition to require specific access permissions when the user uploads an object

s3:CreateBucket

s3:PutBucketAcl

s3:x-amz-grant-permission

(for explicit permissions), where permission can be:read, write, read-acp, write-acp, full-control

Bucket owner can add conditions using these keys to require certain permissions

s3:CreateBucket

s3:PutBucketAcl

s3:prefix

Requires the user to specify this header in the request.

s3:PutObject

s3:PutObjectAcl

s3:delimiter

Require the user to specify the delimiter parameter in the Get Bucket (List Objects) request.

s3:PutObject

s3:PutObjectAcl

s3:DeleteObjectVersion

s3:max-keys

Limit the number of keys Object Storage Service returns in response to the Get Bucket (List Objects) request by requiring the user to specify the max-keys parameter.

s3:ListBucket

s3:ListBucketVersions

Last updated