Sample S3 Bucket Policies
[Allowing only SSE-KMS based encrypted objects for a bucket file upload]
As you may aware, you can restrict access to S3 resources by having two types of Access Policies (See Figure 1).
- Resource based Policies — [ Bucket / Bucket ACL Policies and Object ACL Policies]
- IAM based Policies
In S3, each bucket / object has an ACL attached to it as a sub resource. It defines which AWS accounts or groups are granted access and the type of access.
When a request is received against a resource, S3 checks the corresponding ACL to verify that the requester has the necessary permissions attached to it.
When you create a bucket or an object within a bucket, S3 creates a default ACL that grants the resource owner full control over the resource. Later, you can add other AWS accounts or add public access (by default this is disabled) at the ACL level.
Bucket Policies
You cannot attach bucket polices to S3 objects. But permissions specified in the bucket policy apply to all objects in the bucket.
S3 bucket policies specify what actions are allowed or denied for which principles on the bucket that the bucket policy is attached to.
So, let us try a simple bucket object upload example in this blog in order to get the hang of the whole process. In a future blog, we can see some other important S3 Bucket policy examples.
Example 01 — Allowing to upload an object / file to a bucket having KMS as the S3 Server Side Encryption method (SSE-KMS) in its bucket upload request.
Step 1 — Create a S3 bucket (with default settings)
Step 2 — Upload an object to the bucket. You will be able to do this without any problem (Since there is no policy defined at the moment).
Step 3 — Create a Bucket Policy to restrict the file / object upload to have only SSE-KMS as the Server Side Encryption.
Select the bucket -> Select Permissions -> Select Bucket Policy -> Select Policy Generator (See the link at the bottom of the editor)
Under the Policy Generator, use the following values to generate the bucket policy.
Policy Type: S3 bucket policy
Effect: Deny
Principle: *
AWS Service: Amazon S3 (This will be automatically get selected)
Actions: PutObject
ARN: <Select the bucket ARN and paste is here>
Finally, click add Conditions link. In our scenario, we need to add the following condition to our policy:
Condition: StringNotEquals
Key: s3:x-amz-server-side-encryption
Value: aws:kms
Click Add Condition button (See Figure 3).
Click Add Statement button -> Finally Click Generate Policy button.
The above will generate the required bucket policy for us. You may copy and paste to the Bucket Policy editor.
The possible S3 bucket policy could be seen as follows (See Figure 4).
Now, click Save button on top of the screen to save the bucket policy. But, you may see an ERROR at this moment. In order to solve this issue, you may add a wildcard (/*)as a suffix to the Resource string (arn:aws:s3:::<bucket-name>/*). See Figure 5.
Now, click Save button to save the policy. It should work now.
Step 4 — Upload a file to the same bucket (i.e. crishantha-dilhan) without specifying an encryption method (See Figure 6). You will see an upload Error on the console.
Step 5 — Try to upload a file with the Encryption as Amazon S3 Master Key. You will still see the same error.
Step 6 — Now finally try and see the SSE-KMS option and specify the defauly KMS key as the master key aws/s3 (See Figure 7). You will be successful this time!
Congratulations!. Probably this could be your first bucket policy experience with AWS. I am planning to cover multiple of those since this is one of the tricky areas in the AWS theory. You may find quite a few complex bucket policy examples in the AWS Documentation as well [1]. Good Luck!
References
- AWS Bucket Policy Examples: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
