s3 bucket policies
TRANSCRIPT
S3 Bucket Policies
Jiri PihikIdentity Management, Automation
Concepts
Users
Instances
Services
Metadata
Configuration
Security
Data
Data read-only
S3 bucket layered permissions
Bucket policy
Metadata
Configuration
Security
Data
Data read-only
~ 46 permissions to define S3 bucket access
s3:PutBucketCORSs3:PutBucketVersionings3:PutBucketWebsites3:DeleteBucketWebsites3:GetLifecycleConfigurations3:PutLifecycleConfigurations3:PutReplicationConfigurations3:GetReplicationConfiguration...
Who are you?
What IP do you have?
Is this right time to access me?
Who are you?
What IP do you have?
Is this right time to access me? Which parts of me
you can access?
What can you do here?
Can you set lifecycle here?
Are you able to write content?
Bucket access logging
my-s3-log-system
Example log
0b0fbd7ab5d1058f35535fec64595ed51f7fa26ef77ac8e5d88230898be92e2f my-corp-bucket [21/Jan/2016:12:47:32 +0000] 125.12.36.95 arn:aws:sts::012345678912:assumed-role/my-role/pihik 9E15D396E0071675 REST.PUT.OBJECT report.html "PUT /report.html HTTP/1.1" 200 - - 5134 457 6 "-" "aws-cli/1.9.21 Python/2.7.11 Windows/7 botocore/1.3.21" -
aws-cli s3 upload object
Use cases
● Prevent unauthorized access to your S3 resources● Enables you to store application configs, secrets in S3 bucket● Enables development for 3rd parties● Ensure only users from corp network can access your S3 resources● S3 static websites● Enables fine-grained permissions inside bucket - one folder for public access,
another one for internal assets● Improve your compliance level
DEMO!
Example bucket policies
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:PutObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my-corp-bucket/reports/*.pdf", "Condition": { "IpAddress": { "aws:SourceIp": "108.72.209.118" } } } ]}
3rd party vendor access
{"Version": "2012-10-17","Statement": [
{"Effect": "Deny","Principal": "*","Action": "s3:*","Resource": "arn:aws:s3:::corp-bucket/tools/*","Condition": {
"NotIpAddress": {"aws:SourceIp": [
"125.10.15.0/16","125.12.36.95","10.0.0.0/24"
]}
}}
]}
restricted access only to corp network
How to read that crazy stuff?!
How to read that crazy stuff?!
Deny all S3 actionson specified resource
IFip address IS NOT 125.x.x.x
{"Version": "2012-10-17","Statement": [
{"Effect": "Deny","Principal": "*","Action": "s3:*","Resource": "arn:aws:s3:::corp-bucket/tools/*","Condition": {
"NotIpAddress": {"aws:SourceIp": [
"125.10.15.0/16","125.12.36.95","10.0.0.0/24"
]}
}}
]}
DENYALL S3 ACTIONS
ON SPECIFIED RESOURCEIF
IP ADDRESS IS NOT
125.x.x.x, OR …OR ...
"Condition" : { "DateGreaterThan" : { "aws:CurrentTime" : "2016-02-09T12:00:00Z" }, "DateLessThan": { "aws:CurrentTime" : "2016-02-09T15:00:00Z" }, "IpAddress" : { "aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"] }}
Limited 3rd party bucket access
IP address AND specific time range
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::my-corp-bucket/finance/*", "Condition": { "Null": { "aws:MultiFactorAuthAge": true } } }, { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::my-corp-bucket/public/*" } ]}
require MFA for sensitive data access
folder /public is accessible via internet