-
-
Save actionjack/b1ddd3bd7e6b384e7112d988890377c2 to your computer and use it in GitHub Desktop.
Notes on S3 Security/Permissions Model
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| How S3 Permission Work | |
| - The AWS account that creates a bucket owns it. | |
| - The owner of a bucket can never be changed. | |
| - All billing for object usage goes to bucket owner account by default. That's one reason ownership cannot be changed. | |
| - Note that objects in the bucket can have permissions that would prevent even the bucket owner from editing/deleting it. | |
| - There are three styles of permissions: | |
| 1. Bucket Policies | |
| - Allows access control to be specified for AWS Accounts or IAM Users | |
| - Specified in Access Policy Language | |
| - Can DENY or ALLOW | |
| - Can be based on rules like IP, HTTP-Referer, etc | |
| 2. ACLs | |
| - All ACLs do is grant permission X to user Y | |
| - User Y can be specified as an AWS Account only (via AWS Account ID or Canonical ID) | |
| - GRANT only; cannot specify DENY via ACL | |
| - Can be attached to buckets or objects | |
| - Specified in XML lists | |
| - Can DENY or ALLOW | |
| - Can be based on rules like IP, HTTP-Referer, etc | |
| 3. IAM Policies | |
| - Work for IAM users only [ie not AWS accounts] | |
| - Specified in Access Policy Language | |
| - All permission styles can be used together, they are evaluated like so: | |
| - ANY Deny trumps. | |
| - Otherwise any ALLOW allows. | |
| - Default to DENY. | |
| References: | |
| - http://docs.amazonwebservices.com/IAM/latest/UserGuide/index.html?UsingWithS3.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment