Created
June 23, 2011 19:36
-
-
Save apinstein/1043430 to your computer and use it in GitHub Desktop.
Notes on S3 Security/Permissions Model
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| How S3 Permission Work | |
| - The AWS account that creates a bucket owns it. | |
| - The owner of a bucket can never be changed. | |
| - All billing for object usage goes to bucket owner account by default. That's one reason ownership cannot be changed. | |
| - Note that objects in the bucket can have permissions that would prevent even the bucket owner from editing/deleting it. | |
| - There are three styles of permissions: | |
| 1. Bucket Policies | |
| - Allows access control to be specified for AWS Accounts or IAM Users | |
| - Specified in Access Policy Language | |
| - Can DENY or ALLOW | |
| - Can be based on rules like IP, HTTP-Referer, etc | |
| 2. ACLs | |
| - All ACLs do is grant permission X to user Y | |
| - User Y can be specified as an AWS Account only (via AWS Account ID or Canonical ID) | |
| - GRANT only; cannot specify DENY via ACL | |
| - Can be attached to buckets or objects | |
| - Specified in XML lists | |
| - Can DENY or ALLOW | |
| - Can be based on rules like IP, HTTP-Referer, etc | |
| 3. IAM Policies | |
| - Work for IAM users only [ie not AWS accounts] | |
| - Specified in Access Policy Language | |
| - All permission styles can be used together, they are evaluated like so: | |
| - ANY Deny trumps. | |
| - Otherwise any ALLOW allows. | |
| - Default to DENY. | |
| References: | |
| - http://docs.amazonwebservices.com/IAM/latest/UserGuide/index.html?UsingWithS3.html |
Author
Haha man i've been going crazy trying to get it secure. I found various security holes in their MFA stuff. :(
Working with them to figure it out.
Alan
…On Jun 23, 2011, at 5:22 PM, jetviper21 wrote:
i can haz bucket?
##
Reply to this email directly or view it on GitHub:
https://gist.github.com/1043430
Author
404 ?
…Sent from my iPhone
On Jun 23, 2011, at 5:48 PM, ***@***.*** wrote:
<img src='http://www.walrusbucketsaga.com/images/81-shark_bucket.jpg' />
##
Reply to this email directly or view it on GitHub:
https://gist.github.com/1043430
Lame
Scott Davis
…On Jun 23, 2011, at 6:15 PM, ***@***.*** wrote:
404 ?
Sent from my iPhone
On Jun 23, 2011, at 5:48 PM, ***@***.*** wrote:
> <img src='http://www.walrusbucketsaga.com/images/81-shark_bucket.jpg' />
> ##
>
> Reply to this email directly or view it on GitHub:
> https://gist.github.com/1043430
##
Reply to this email directly or view it on GitHub:
https://gist.github.com/1043430
Author
I must be missing something, I don't get it.
…On Jun 23, 2011, at 6:27 PM, jetviper21 wrote:
Lame
Scott Davis
On Jun 23, 2011, at 6:15 PM, ***@***.*** wrote:
> 404 ?
>
> Sent from my iPhone
>
> On Jun 23, 2011, at 5:48 PM, ***@***.*** wrote:
>
> > <img src='http://www.walrusbucketsaga.com/images/81-shark_bucket.jpg' />
> > ##
> >
> > Reply to this email directly or view it on GitHub:
> > https://gist.github.com/1043430
> ##
>
> Reply to this email directly or view it on GitHub:
> https://gist.github.com/1043430
##
Reply to this email directly or view it on GitHub:
https://gist.github.com/1043430
Amazon buckets
Scott Davis
…On Jun 23, 2011, at 10:00 PM, ***@***.*** wrote:
I must be missing something, I don't get it.
On Jun 23, 2011, at 6:27 PM, jetviper21 wrote:
> Lame
>
> Scott Davis
>
> On Jun 23, 2011, at 6:15 PM, ***@***.*** wrote:
>
> > 404 ?
> >
> > Sent from my iPhone
> >
> > On Jun 23, 2011, at 5:48 PM, ***@***.*** wrote:
> >
> > > <img src='http://www.walrusbucketsaga.com/images/81-shark_bucket.jpg' />
> > > ##
> > >
> > > Reply to this email directly or view it on GitHub:
> > > https://gist.github.com/1043430
> > ##
> >
> > Reply to this email directly or view it on GitHub:
> > https://gist.github.com/1043430
> ##
>
> Reply to this email directly or view it on GitHub:
> https://gist.github.com/1043430
##
Reply to this email directly or view it on GitHub:
https://gist.github.com/1043430
Author
oooh.
…On Jun 23, 2011, at 10:11 PM, jetviper21 wrote:
Amazon buckets
Scott Davis
On Jun 23, 2011, at 10:00 PM, ***@***.*** wrote:
> I must be missing something, I don't get it.
>
> On Jun 23, 2011, at 6:27 PM, jetviper21 wrote:
>
> > Lame
> >
> > Scott Davis
> >
> > On Jun 23, 2011, at 6:15 PM, ***@***.*** wrote:
> >
> > > 404 ?
> > >
> > > Sent from my iPhone
> > >
> > > On Jun 23, 2011, at 5:48 PM, ***@***.*** wrote:
> > >
> > > > <img src='http://www.walrusbucketsaga.com/images/81-shark_bucket.jpg' />
> > > > ##
> > > >
> > > > Reply to this email directly or view it on GitHub:
> > > > https://gist.github.com/1043430
> > > ##
> > >
> > > Reply to this email directly or view it on GitHub:
> > > https://gist.github.com/1043430
> > ##
> >
> > Reply to this email directly or view it on GitHub:
> > https://gist.github.com/1043430
> ##
>
> Reply to this email directly or view it on GitHub:
> https://gist.github.com/1043430
##
Reply to this email directly or view it on GitHub:
https://gist.github.com/1043430
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
i can haz bucket?