Understanding the Security in s3

As you deal with more data storage, you must be worried of your data security and wanted to ensure that its safe and secure. By default, all s3 bucket and objects are private. However, as your business grows you need to deal with a tight and secure s3 security model to run your application in AWS.

In AWS, s3 permissions are categorized into user policies and resource based policies

User Policies

User based policy is associated with an IAM user, group and role. An account owner could grant specific access to an user based on role & responsibility within same account using user policy to s3 bucket. The user policy could be created with set of privilege for one or more bucket.

Resource Based Policies

s3 Bucket policy and Access control list(ACLs) are part of Resource based policy.

Bucket Policy

Bucket policies are attached to Buckets to control access by the users in the same account or other accounts to the buckets and objects in it. Bucket policy are similar to IAM policy for s3 service which allows or denies access to resources via JSON. Once the Bucket policy is implemented, the permissions are applied to all the objects within the Bucket.

Bucket policy could be used to grant cross-account access to other AWS account or IAM users to access the Bucket and Object in it. Only Account Owner is allowed to associate a policy to a Bucket. This provides centralize access control to Bucket and Object based on various conditions such as IP addresses, requesters, resources

Inside each Bucket policy, there is a set of policy statements and each statement contains the following elements

  • Statement ID (Sid)[Optional]: This is intended as description for the user.
  • Effect: The Effect is used to specify where the operation is allowed or denied
  • Principal: It specifies the user, account, service or other entity that is allowed or denied access to a resource.
  • Resource: The Resource element identifies buckets and objects. You could allow or deny access to bucket and object using URN to identify the resource.
  • Action: The Action and Effect elements are two components of permissions.
  • Conditions [Optional]: Conditions allow you to build expressions to determine when a policy should be applied

You could create a policy by your own or could take help of the AWS policy generator to generate a policy for you. Below is an example of Bucket policy for allowing all users in your account to have GetObject privilege on your s3 bucket “s3twwip“.

   "Id": "Policy1576013660245",
   "Version": "2012-10-17",
   "Statement": [
       "Sid": "Stmt1576013653748",
       "Action": [
       "Effect": "Allow",
       "Resource": "arn:aws:s3:::s3twwip*",
       "Principal": "*"

If you want to generate the policy for GetObject operation using Policy Generator then go to your s3 Bucket –> Permissions –> Bucket Policy in s3 and click on Policy Generator

In Step 1, Select the Type of Policy as s3 Bucket Policy

In Step 2, Provide all the details for Effect, principal, AWS Services, Action and Amazon Resource Name (ARN). You could select multiple Actions in same policy and need to provide the ARN of your Bucket during policy generation and then click on Add Statement

In Step 3, Click on Generate Policy

Access Control List (ACLs)

In s3, An ACL is a list of grants identifying grantee and permission granted. Both Bucket and Object are associated with an ACL. By default, Public access is turned off for all buckets in your region to restrict access from Internet. With ACL you could grant and manage access other AWS account IAM users to access your Bucket.

As an account owner you could grant different privilege such as List Object, Write Object to an AWS account. ACL does not support conditional permission as like in Bucket policy supports. Bucket ACL will help grant write permission on the Bucket to the Log Delivery Group if access log delivery is needed. Object ACL control only object level permission & manage permission to an object in the bucket not owned by bucket owner.

Amazon s3 evaluates all the users policies, bucket policies and acls to determine whether to allow or deny for each request it receives.

Please comment below if you have any concerns related to this blog.

Leave a Reply

%d bloggers like this: