Skin
Layout Boxed
Direction

[Recipes] S3 Bucket Policy To Allow and Deny

Submitted by heartin on Sun, 12/10/2017 - 02:45

Problem: 

When a request is made to S3, decide whether a given request should be allowed or denied.

Solution Summary: 

Create policies for the allow or deny scenarios.

Prerequisites: 

Should have an AWS account and basic familiarity with S3.

Solution Steps: 

  1. Create a bucket (e.g. buddybucketpolicy) leaving all default selections as is.

  2. Create a text file and upload it with default settings.

  3. Verify that you get access denied warning when you try to access the file publicly.

  4. Go to policy generator and generate policy as per the given policy description or copy paste the given policy json in bucket policy (editor) under Permissions tab.

 

Examples

Policy 1:

{

  "Id": "Policy1500988548299",

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Stmt1500988533386",

      "Action": [

        "s3:GetObject"

      ],

      "Effect": "Allow",

      "Resource": "arn:aws:s3:::buddybucketpolicy/*",

      "Condition": {

        "IpAddress": {

          "aws:SourceIp": "42.109.194.187"

        }

      },

      "Principal": "*"

    }

  ]

}

 

Description:  Allow + IpAddress

Allow from IP 42.109.194.187

Deny from other IP.

 

Policy 2:

{

  "Id": "Policy1500988548299",

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Stmt1500988533386",

      "Action": [

        "s3:GetObject"

      ],

      "Effect": "Allow",

      "Resource": "arn:aws:s3:::buddybucketpolicy/*",

      "Condition": {

        "NotIpAddress": {

          "aws:SourceIp": "42.109.194.187"

        }

      },

      "Principal": "*"

    }

  ]

}

 

Description:  Allow + NotIpAddress

Deny from IP 42.109.194.187

Allow from other IP.

 

Policy 3:

{

  "Id": "Policy1500988548299",

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Stmt1500988533386",

      "Action": [

        "s3:GetObject"

      ],

      "Effect": "Deny",

      "Resource": "arn:aws:s3:::buddybucketpolicy/*",

      "Condition": {

        "NotIpAddress": {

          "aws:SourceIp": "42.109.194.187"

        }

      },

      "Principal": "*"

    }

  ]

}

 

Description:  Deny + IpAddress

 

Deny from IP 42.109.194.187

Deny from other IP.

 

Policy 4:

{

  "Id": "Policy1500988548299",

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Stmt1500988533386",

      "Action": [

        "s3:GetObject"

      ],

      "Effect": "Deny",

      "Resource": "arn:aws:s3:::buddybucketpolicy/*",

      "Condition": {

        "IpAddress": {

          "aws:SourceIp": "42.109.194.187"

        }

      },

      "Principal": "*"

    }

  ]

}

 

Description:  Deny + IpAddress

Deny from IP 42.109.194.187

Deny from other IP.

 

Policy 5:

{

  "Id": "Policy1500988548299",

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "Stmt1500988533386",

      "Action": [

        "s3:GetObject"

      ],

      "Effect": "Deny",

      "Resource": "arn:aws:s3:::buddybucketpolicy/*",

      "Principal": "*"

    }

  ]

}

 

Description:  (only) Deny

Deny from All IP

Note: Only Allow allows from all IP (Ref=last lab).

 

Summary

Allow + IpAddress

Allow from IP 42.109.194.187

Deny from other IP.

 

Allow + NotIpAddress

Deny from IP 42.109.194.187

Allow from other IP.

 

Deny + IpAddress

Deny from IP 42.109.194.187

Deny from other IP.

 

Deny + NotIpAddress

Deny from IP 42.109.194.187

Deny from other IP.

 

(only) Deny

Deny from All IP

Note: Only Allow allows from all IP (Ref=last lab).

Recipe Tags: 

aws s3
aws policies

Partners and Platforms

Learn Serverless from Serverless Programming Cookbook

Contact

Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.

About

CloudMaterials is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Microsoft Azure and Amazon Web Services (AWS).

I like to write and I try to document what I learn to share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Partner Sites

Recent comments

Photo Stream