Sample bucket policies
receive by ses
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowSESPuts-1554483843511",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::your-s3-bucket/*",
"Condition": {
"StringEquals": {
"aws:Referer": "your_account_id"
}
}
}
]
}
Bucket ACL
Bucket Owner = AWS account @ this bucket.
Object ACL
ACL per S3 objects.
No IAM User.
To set ACL for other aws account, use CanonicalID
CannonicailID is ...
{
"Owner": {
"DisplayName": "aaaaaaa",
"ID": "aebdafahfojdsaojfodsaofhsoajfdsajofhoqjfdsafhvhajofuf89fdsa8fu9d"
},
"Grants": [
{
"Grantee": {
"Type": "CanonicalUser",
"DisplayName": "aaaaaaaa",
"ID": "aebdafahfojdsaojfodsaofhsoajfdsajofhoqjfdsafhvhajofuf89fdsa8fu9d"
},
"Permission": "READ"
},
Inherit upper Object ACL
cloudberry exproler
support it.
Bucket Policy
I upload some files, but my Bucket Policy n/a! why?
Bucket Polices effects only when
Object Owner = Bucket Owner
So, upload s3 object via cross-aws-account (not switch role) is n/a bucket policy. Due to them owner is not bucket owner but cross-aws-account.
Way to change s3 object owner
Just one Copy!
But we can change ACL via put-object-acl
.
X account (not switch role)
- bucket policies supports
principal: iam/user
but DOES NOT iam/group - DOES NOT Inherit upper object/bucket ACL (via cloudberry)
Permit specific API calls
AWS Account A had bcuket 'b'
AWS Account B created IAM user 'imaoka'
bucket 'b' allo AWS Account B via bucket policy (or bucket ACL).
When imaoka have read_only s3 @ AWS Account B, cannot put object to bucket 'b'