S3 Bucket Policies: A Practical Guide

What Is an S3 Bucket Policy?

An S3 bucket policy is an object that allows you to manage access to specific Amazon S3 storage resources. You can specify permissions for each resource to allow or deny actions requested by a principal (a user or role). When you create a new Amazon S3 bucket, you should set a policy granting the relevant permissions to the data forwarder’s principal roles.

Bucket policies are an Identity and Access Management (IAM) mechanism for controlling access to resources. They are a critical element in securing your S3 buckets against unauthorized access and attacks.

In this article, you will learn:

• Adding a Bucket Policy Using the Amazon S3 Console
• S3 Bucket Policy Elements
• Best Practices to Secure AWS S3 Storage Using Bucket Policies
  • Create Separate Private and Public Buckets
  • Encrypt Data at Rest and in Transit
  • Create a Lifecycle Policy
• S3-Compatible Storage On-Premises with Cloudian

This is part of an extensive series of articles about S3 Storage.

Creating and Editing a Bucket Policy

Here is a step-by-step guide to adding a bucket policy or modifying an existing policy via the Amazon S3 console. You can add a policy to an S3 bucket to provide IAM users and AWS accounts with access permissions either to the entire bucket or to specific objects contained in the bucket. Object permissions are limited to the specified objects.

To add or modify a bucket policy via the Amazon S3 console:

1. Go to the Amazon S3 console in the AWS management console (https://console.aws.amazon.com/s3/).
2. Select the bucket to which you wish to add (or edit) a policy in the buckets list and select permissions.
3. Enter your policy text (or edit the text) in the text box of the bucket policy editor. Bucket policies use JSON files, so you must type or paste JSON text.
4. Once you’ve created your desired policy, select save changes.

To create a bucket policy with the AWS Policy Generator:

1. Open the policy generator and select S3 bucket policy under the select type of policy menu.
2. Populate the fields presented to add statements and then select generate policy. Copy the text of the generated policy.
3. Go back to the edit bucket policy section in the Amazon S3 console and select edit under the policy you wish to modify.
4. Once you’ve created your desired policy, select save changes.

Above the policy text field for each bucket in the Amazon S3 console, you will see an Amazon Resource Name (ARN), which you can use in your policy. You can also preview the effect of your policy on cross-account and public access to the relevant resource. You can check for findings in IAM Access Analyzer before you save the policy.

Related content: Read our complete guide to S3 buckets (coming soon)

S3 Bucket Policy Elements

An Amazon S3 bucket policy contains the following basic elements:

• Statements—a statement is the main element in a policy. It consists of several elements, including principals, resources, actions, and effects. Bucket policies typically contain an array of statements.
• Permitted principals—a principal is a user, entity, or account with access permissions to resources and actions in a statement.
• Resources—Amazon S3 resources to which the policy applies include buckets, objects, jobs, and access points. You can identify resources using ARNs.
• Actions—there are specific, permitted operations for each resource. You can use action keywords to allow or deny operations.
• Effects—each request by a principal must generate an allow or deny effect. In the absence of an explicit access permission to a resource, the policy will automatically deny the request.
• Conditions—these determine when the policy applies. You can specify conditions for access policies using AWS-wide or S3-specific keys.
• Version—this determines the policy’s language version. This element is optional, allowing you to specify a new language version instead of the old default version.
• ID—this optional element specifies a policy identifier. Policy IDs should be unique, with GUID values.
• Statement ID (Sid)—this is an identifier that you can assign to policy statements. You may assign Sid values to every statement in a policy. In AWS services like SNS and SQS, which allow you to specify ID elements, the Sid values are sub-IDs of the policy’s ID. IAM requires the Sid values in a JSON policy to be unique.

Best Practices to Secure AWS S3 Storage Using Bucket Policies

Consider using the following practices to keep your Amazon S3 buckets secure.

Create Separate Private and Public Buckets

By default, new buckets have private bucket policies. If you require an entity to access the data or objects in a bucket, you have to provide access permissions manually.

Access Control List (ACL) and Identity and Access Management (IAM) policies provide the appropriate access permissions to principals using a combination of bucket policies. However, the bucket policy may be complex and time-consuming to manage if a bucket contains both public and private objects. A policy for mixed public/private buckets requires you to analyze the ACLs for each object carefully.

You can simplify your bucket policies by separating objects into different public and private buckets. Create one bucket for public objects, using the following policy script to grant access to the entire bucket:

{

“Effect”: “Allow”,

“Principal”: “*”,

“Action”: “s3:GetObject”,

“Resource”: “arn:aws:s3:::YOURPUBLICBUCKET/*”

}

Create a second bucket for storing private objects. The entire bucket will be private by default. You can grant permissions for specific principles to access the objects in the private bucket using IAM policies.

Encrypt Data at Rest and in Transit

Enable encryption to protect your data. You can configure AWS to encrypt objects on the server-side before storing them in S3. You can use the default Amazon S3 keys managed by AWS or create your own keys using the Key Management Service.

Add the following HTTPS code to your bucket policy to implement in-transit data encryption across bucket operations:

{

“Action”: “s3:*”,

“Effect”: “Deny”,

“Principal”: “*”,

“Resource”: “arn:aws:s3:::YOURBUCKETNAME/*”,

“Condition”: {

“Bool”: { “aws:SecureTransport”: false }

}

}

Create a Lifecycle Policy

You can secure your data and save money using lifecycle policies to make data private or delete unwanted data automatically. A lifecycle policy helps prevent hackers from accessing data that is no longer in use. If you enable the policy to transfer data to AWS Glacier, you can free up standard storage space, allowing you to reduce costs.

If the data stored in Glacier no longer adds value to your organization, you can delete it later.

S3-Compatible Storage On-Premises with Cloudian

Cloudian® HyperStore® is a massive-capacity object storage device that is fully compatible with the Amazon S3 API. It can store up to 1.5 Petabytes in a 4U Chassis device, allowing you to store up to 18 Petabytes in a single data center rack. HyperStore comes with fully redundant power and cooling, and performance features including 1.92TB SSD drives for metadata, and 10Gb Ethernet ports for fast data transfer.

HyperStore is an object storage solution you can plug in and start using with no complex deployment. It also offers advanced data protection features, supporting use cases like compliance, healthcare data storage, disaster recovery, ransomware protection and data lifecycle management.

Learn more about Cloudian® HyperStore®.