Activities

December 2014
M T W T F S S
« Nov   Jan »
1234567
891011121314
15161718192021
22232425262728
293031  

How do I limit the access to a particular Amazon S3 bucket

In certain projects, we need to create many users to provide online storage locations to upload their files. Sometimes if you manage a large project and you need to access all the users folders and users can’t interfere the files in between them.

My requirement is , I have one AWS account and have many projects those are using AWS services. Most of the users data are binary data and sharing binary data over the webserver may cause slow down the platform performance. So I prefer to store it on S3 cloud for fast web sharing.

How to restrict S3 bucket access to a user.

First you need to create a IAM user using your AWS account.

S3-1

Then you need to create a bucket for this user. Don’t forget to set the full permission to all authenticated users

S3-2

Next you need to create a custom policy which will be applied to that user as showing below. For this testing I create a folder “liju-store

{
    "Statement": [
     {
         "Sid": "1",
         "Action": [
           "s3:ListBucket",
           "s3:GetBucketLocation"
          ],
         "Effect": "Allow",
         "Resource": [
           "arn:aws:s3:::liju-store"
         ]
     },
     {
      "Sid": "2",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::liju-store/*"
      ]
     }
   ]
}

That’s it. Pls note this user can not able to login to amazon management console even though you create password for this user.

How do I test it ?

This is very important area to test your setup since you do not have any option to do that other than coding.

Here I uses s3cmd command line tool and re-build config. file for this S3 user.

[root@web-dev ~]# s3cmd   --configure
Enter new values or accept defaults in brackets with Enter.
Refer to user manual for detailed description of all options.
Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables.
Access Key: AKIsdsds dsadsadB23F3A
Secret Key: 5taDRsdsadsadsadsadsadzfnfJmpuKSPwBz

Once I complete the s3cmd environment, I need to test it. So I created a “test” folder using my AWS account.

When you try to list all the bucket, it will shows an error. See below

[root@-dev ~]# s3cmd ls
ERROR: S3 error: 403 (AccessDenied): Access Denied
[root@-dev ~]#

Perfect ! no surprise You can’t see other buckets.

If you want to see your bucket, you need to mention your bucket name there,

[root@-dev ~]# s3cmd ls s3://liju-store
                       DIR   s3://liju-store/test/
[root@-dev ~]#

Checking the permissions

I’m trying to upload a file to S3 storage using my limited credentials

[root@-dev ~]# cd /tmp/test/
[root@-dev test]# ls
sample.sql
[root@s-dev test]# s3cmd put sample.sql s3://liju-store/test/
sample.sql -> s3://liju-store/test/sample.sql  [1 of 1]
 4007168 of 4007168   100% in    0s    15.20 MB/s  done
[root@-dev test]#

Lol !! 🙂 I have write permissions out there. So I can create any no. of users having isolated/jailed access using a single AWS account.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>