LoginSignup
3

More than 3 years have passed since last update.

S3 maniacs

Last updated at Posted at 2017-01-13

Sample bucket policies

receive by ses

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts-1554483843511",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::your-s3-bucket/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "your_account_id"
                }
            }
        }
    ]
}

Bucket ACL

Bucket Owner = AWS account @ this bucket.

Object ACL

ACL per S3 objects.
No IAM User.
To set ACL for other aws account, use CanonicalID

CannonicailID is ...

{
    "Owner": {
        "DisplayName": "aaaaaaa",
        "ID": "aebdafahfojdsaojfodsaofhsoajfdsajofhoqjfdsafhvhajofuf89fdsa8fu9d"
    },
    "Grants": [
        {
            "Grantee": {
                "Type": "CanonicalUser",
                "DisplayName": "aaaaaaaa",
                "ID": "aebdafahfojdsaojfodsaofhsoajfdsajofhoqjfdsafhvhajofuf89fdsa8fu9d"
            },
            "Permission": "READ"
        },

Inherit upper Object ACL

cloudberry exproler support it.

Bucket Policy

I upload some files, but my Bucket Policy n/a! why?

Bucket Polices effects only when

Object Owner = Bucket Owner

So, upload s3 object via cross-aws-account (not switch role) is n/a bucket policy. Due to them owner is not bucket owner but cross-aws-account.

Way to change s3 object owner

Just one Copy!
But we can change ACL via put-object-acl .

X account (not switch role)

  1. bucket policies supports principal: iam/user but DOES NOT iam/group
  2. DOES NOT Inherit upper object/bucket ACL (via cloudberry)

Permit specific API calls

AWS Account A had bcuket 'b'
AWS Account B created IAM user 'imaoka'

bucket 'b' allo AWS Account B via bucket policy (or bucket ACL).
When imaoka have read_only s3 @ AWS Account B, cannot put object to bucket 'b'

IAM

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
3