Introduction

Within S3 there are a number of ways to set permissions on your S3 resources. Two of these options are Bucket Policies and User Policies. Bucket policies are applied directly to a bucket within S3 itself, whereas user policies are set within IAM (Identity & Access Management). In this Lab, you will set up and configure a bucket policy within S3. The bucket policy will restrict anyone from performing any actions within a specific bucket unless their IP address matches that within the bucket policy's condition statement.

Bucket policies use the JSON-based (JavaScript Object Notation) policy language. However, if you are unfamiliar with JSON then you can use the AWS Policy Generator to create a bucket policy for you. This allows you to generate a policy document which you can then copy and paste into your bucket policy. This Lab Step will make use of the AWS Policy Generator.

For more information regarding user policies, please see other Cloud Academy labs and courses relating to IAM.

Instructions

1. In the Amazon S3 console, select the bucket beginning with {LabStep.S3_Bucket_name} that you created earlier.

2. Click the Permissions tab, then scroll down to the Bucket Policy section and click the Edit button.

The Bucket policy editor will load:

From here, you can type in a JSON based policy directly, or use AWS Policy generator.

3. At the top, click Policy generator:

The AWS Policy Generator is opened in a new browser tab:

Notice the three steps. You will complete each step next.

4. Fill out Step 1: Select Policy Type as follows:

Select Type of Policy: Select S3 Bucket Policy

5. Under Step 2: Add Statement(s), enter and select the following:

Effect: Select the Deny radio button
Principal: Enter *
- The Principal dictates the user, account or service that the policy will apply to. An asterisk is a wildcard to match all.
Actions:
- Take a minute to scroll through the actions in the drop-down menu. For S3, there are about 40 individual actions. (CreateBucket, DeleteBucket, etc.) This is where you can select specific actions only.
- Check PutObject
ARN: *
- You will enter your bucket ARN on Edit bucket policy page

ARNs (Amazon Resource Names) adhere to the following pattern:

arn:Paritition:Service:Region:Account-ID:Resource

Partition – This relates to the partition that the resource is found in. For standard AWS regions, this section would be ‘aws.’
Service – This reflects the specific AWS service, for example ‘s3.’
Region – This is the region where the resource is located. Some services do not need a region specified, so this can sometimes be left blank.
Account-ID – This is your AWS Account ID (without hyphens). Again, some services do not need this information, and so it can be left blank.
Resource – The value of this field depends on the AWS service you are using.
- For example, if using the Action: “Action”:”s3:*”, then use the bucket name that you want the permission to apply to arn:aws:s3:::{LabStep.S3_Bucket_name}/*.

6. Still within Step 2: Add Statement(s), click Add Conditions (Optional).

Conditions allow you to define a greater granularity to your policy to only execute under certain conditions and keys. Fill out as follows:

Condition: Select NotIpAddress
Key: Select aws:SourceIp
Value: Enter 1.2.3.4 (A legal IPv4 address, but clearly not your local IP address. That is OK, as it will be used for a test later.)

7. Click Add Condition button when ready to proceed.

Your wizard will look similar to:

8. Click Add Statement, and then Generate Policy when ready to proceed.

9. Select and copy the Policy JSON Document generated for you.

For example:

{
  "Id": "Policy1656355944518",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1656355938580",
      "Action": [
        "s3:PutObject"
      ],
      "Effect": "Deny",
      "Resource": "*",
      "Condition": {
        "NotIpAddress": {
          "aws:SourceIp": "1.2.3.4"
        }
      },
      "Principal": "*"
    }
  ]
}

10. Return to your browser tab with the Bucket Policy editor open and paste the JSON into the Policy editor, copy and paste the Bucket ARN into Resource, and append /*:

Important: Make sure the ARN on the Resource line matches the name of the Amazon S3 bucket you created earlier.

Important: Ensure you add the slash and the asterisk at the end of the ARN to have the policy apply to objects in the bucket.

11. To save the policy, scroll to the bottom and click Save changes:

Your S3 bucket now has a bucket policy applied.

Recall that the condition within your policy specifies actions on your S3 bucket from anyone other than Source IP of 1.2.3.4 will be denied. (Clearly your local host IP address is not 1.2.3.4).

Next, you will test your bucket policy.

12. Scroll to the top, click the Objects tab, and click Create folder.

13. Enter a folder name and then at the bottom, click Create folder.

Because your source IP address is not 1.2.3.4 you will receive an error:

14. Click Cancel to exit the form, and then click Upload, and Add files.

Select a few files from your local file system.

15. Scroll to the bottom and click Upload.

You will see a notification that the upload failed:

In the Files and folders section you will see the following:

Once again, the operation (an upload in this example) failed, as you do not have permission to perform any actions because your IP address does not match the bucket policies condition (source IP 1.2.3.4).

16. To close the Upload form, click Close.

Summary

In this Lab Step you learned how to use the Amazon Policy Generator to generate the JSON to create a S3 bucket policy. The policy denied all S3 actions from any source where the IP address was not 1.2.3.4.

Once you finish this entire Lab, time and interest permitting, you could modify the policy to deny all actions unless the source IP is your public IP address. (Hint: Use a site such as www.whatismyipaddress.com to get your public IP address.) S3 actions should not throw an error after such a policy modification.