Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

S3 bucket policy vs access control list

Tags:

amazon-web-services

amazon-s3

On AWS website, it suggests using the following bucket policy to make the S3 bucket public:

{     "Version": "2012-10-17",     "Statement": [         {             "Sid": "PublicReadGetObject",             "Effect": "Allow",             "Principal": "*",             "Action": [                 "s3:GetObject"             ],             "Resource": [                 "arn:aws:s3:::example-bucket/*"             ]         }     ] }

What's the difference between that and just setting it through the Access Control List?

enter image description here

like image 351
Avery235 Avatar asked Dec 14 '17 14:12

Avery235

People also ask

What is the difference between bucket policy and access control list?

ACLs were the first authorization mechanism in S3. Bucket policies are the newer method, and the method used for almost all AWS services. Policies can implement very complex rules and permissions, ACLs are simplistic (they have ALLOW but no DENY). To manage S3 you need a solid understanding of both.

What is difference between S3 bucket policies and IAM policies?

S3 bucket policies (as the name would imply) only control access to S3 resources, whereas IAM policies can specify nearly any AWS action.

What is a S3 bucket policy?

An S3 bucket policy is an object that allows you to manage access to specific Amazon S3 storage resources. You can specify permissions for each resource to allow or deny actions requested by a principal (a user or role).

What is the difference between ACL policies and rule policies?

The main difference is that clauses (rules) in an ACL are numbered, so it is possible to insert a new rule between any other two rules without re-creating the whole ACL. An example of ACL configuration is provided next. This simple access-list allows access from network 1.2.

2 Answers

Bottom line: 1) Access Control Lists (ACLs) are legacy (but not deprecated), 2) bucket/IAM policies are recommended by AWS, and 3) ACLs give control over buckets AND objects, policies are only at the bucket level.

Decide which to use by considering the following: (As noted below by John Hanley, more than one type could apply and the most restrictive/least privilege permission will apply.)

Use S3 bucket policies if you want to:

  • Control access in S3 environment
  • Know who can access a bucket
  • Stay under 20kb policy size max

Use IAM policies if you want to:

  • Control access in IAM environment, for potentially more than just buckets
  • Manage very large numbers of buckets
  • Know what a user can do in AWS
  • Stay under 2-10kb policy size max, depending if user/group/role

Use ACLs if you want to:

  • Control access to buckets and objects
  • Exceed 20kb policy size max
  • Continue using ACLs and you're happy with them

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

like image 76
DarkerIvy Avatar answered Sep 22 '22 15:09

DarkerIvy

If you want to implement fine grained control over individual objects in your bucket use ACLs. If you want to implement global control, such as making an entire bucket public, use policies.

ACLs were the first authorization mechanism in S3. Bucket policies are the newer method, and the method used for almost all AWS services. Policies can implement very complex rules and permissions, ACLs are simplistic (they have ALLOW but no DENY). To manage S3 you need a solid understanding of both.

The real complication happens when you implement both ACLs and policies. The end permission set will be the least privilege union of both.

like image 34
John Hanley Avatar answered Sep 19 '22 15:09

John Hanley
Sign in to Comment

Related questions

Cognito auth flow fails with "Already found an entry for username Facebook_10155611263153532"
Static outgoing IP in Kubernetes
In AWS IAM, What is the Purpose/Use of the "Path" Variable?
Can Amazon Glacier mirror an Amazon S3 bucket?
Is it possible (or efficient) to run a complete backend with AWS Lambda (vs say, Elastic Beanstalk)
Amazon - DynamoDB Strong consistent reads, Are they latest and how?
AWS cognito: What's the difference between Access and Identity tokens?
Amazon RDS stop instance [duplicate]
How to write a string to Amazon S3 bucket?
AWS vs Heroku vs something else for scalable platform?
Is the S3 "US Standard" region the same as "us-east-1" in EC2?
AWS Cognito: Best practice to handle same user (with same email address) signing in from different identity providers (Google, Facebook)
SSH fingerprint verification for Amazon AWS EC2 server with ECDSA?
Restricting access to CloudFront by IP
AWS: how to fix S3 event replacing space with '+' sign in object key names in json
AWS IAM: Unable to create additional Access Key
How to cp file only if it does not exist, throw error otherwise?
How could I use aws lambda to write file to s3 (python)?
Get AWS Account ID from Boto
How can I deduce the AWS Account ID from available BasicAWSCredentials?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!