A common problem with a very simple solution. Let’s say that you have an IAM user that you’ve created, and you want to provide that user read-only access to an S3 bucket. An example of this that may be common is for those vendors, such as Newvem, that request programmatic access to your billing data.
For beginners, the format and implementation may be confusing or challenging. Many of the basic policies you may attach to a user or group can be found under Policy Templates. These are, however, very limited and tend to tackle access in a very broad sense. Always check here before you go and find yourself reinventing the wheel :)
Amazon Web Services’ Policy Generator gives you push button access to create some pretty powerful custom policies, and this is the route we’ll explore for this particular issue. Policies can be managed through the IAM console at either an individual user or group level. To find these, navigate to https://console.aws.amazon.com/iam/#home and click on the Users link on the right hand side.
From here, check the box next to the user/group to which you would like to grant access. By clicking the Permissions tab in the bottom pane, we can see a list of all currently applied policies. In the case of users, as show below, the interface will also provide a complete listing of policies inherited through group membership.
By clicking “Attach User Policy,” we can get started. In this case, we’ll want to select the Policy generator to accomplish our goal.
The Policy Generator is an incredibly simple tool to us, but you can create some very robust and layered policies. It will allow you to create multi-part policies that impact access to multiple services and AWS Resources. This is done through a point and click interface requires the user to select which AWS Service, what specific ACLs to either grant or deny, and then requests (when applicable) an ARN. ARNs are Amazon Resource Names. We won’t get into how they’re formed here, but a great reference can be found at http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html. In short, it is a unique name by which any asset deployed within AWS can be referenced.
To accomplish the aforementioned goal of granting read-only access, we need to apply two statements. The first statement is against the bucket itself, to allow us to list the contents of said bucket.
To do this, we AWS S3 as our service, an ARN of “arn:aws:s3:::CPH-CloudServices_Invoicing”, and “ListBucket” action. We add the statement and are brought back to a summary page where we can compound this Policy with additional statements.
For the next statement we use an ARN of “arn:aws:s3:::CPH-CloudServices_Invoicing/*”, and the “GetObject” action. Please note the “/*” at the end of this ARN – in insures that the GetObject action is applied to all items contained within the bucket.
Again, you’re brought to the summary page and should see something similar to
Continue and apply – and you’re done!
In poking around, you can actually manage the actual code/definition behind the policy you just created. There are a number of good references out there that can walk you through what each of these means.
Once you’re more comfortable with the syntax, you’ll find this to be a very powerful tool that you can not only leverage for access restrictions; it’s also very useful to code to. For example, developing programs that enable and disable access restrictions on the fly.
A topic that we’ll approach in a future discussion is the best practices around policy creation and maintenance. Much of this is a matter of preference, but is a wealth of information out there to help you get started in creating your policies smartly to remain secure, but flexible as you grow.
Interested in learning more about Amazon Web Services? Feel free to reach out to us - We're happy to help!