It seems that Access Control Lists (ACL), CORS configurations, and the permissions for each bucket and object all come into play when configuring the access settings for S3 buckets/objects.
Can someone explain the difference between these and how they work together?
They are the recommended way to configure access of a S3 bucket. A policy is a JSON document composed of statements. In each statement you either Allow or Deny an action to a Principal (the users affected by the policy).
Considered legacy, they predate the implementation of bucket policies but they allow to set permission at a file level. For example if you want to restrict the access for a specific file within a bucket, but not the whole bucket, you will need to use ACLs.
This a XML file to configure the CORS headers. You can choose to only allow http some methods (for example GET and POST) or all of them.
More details in the AWS Documentation.
For more info about CORS: What is CORS?.
They are similar to Bucket policies, except you attach them an User, Group or Role, except of a bucket.
In case of conflict between ACL/IAM policies/Bucket policies, for example if there both Allow and Deny applying to the same resource and user, the Deny always win.
The algorithm to resolve permission is basically: - If there is a Deny, Deny access - If there is an Allow, Allow access - If there isn't anything, Deny by default
Apply the principle of least privilege (don't allow access unless it's needed). It's not recommended to attach policies directly to an User, but rather to create a group with the permission attached to it, then add the user to the group. You can have for example a group Developer with full access on S3, a group Finance with read-only access. If you need to restrict access to a bucket, use bucket policies. Only use ACL if you need to configure access to individual files.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With