Managing access control for your Amazon S3 buckets is essential for maintaining security in your AWS environment. In this article, I'll guide you through applying two different S3 bucket policies using the AWS CLI. One policy will allow access from a specific IP address, and the other will restrict access to specific objects (like images) from a designated domain.
Step 1: Create and Apply the policy.json File
The first policy we'll create allows access to your S3 bucket only from a specific IP address. Below is an example of a policy you can use.
policy.json
{
"Version": "2012-10-17",
"Id": "Allow specific IP",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::devops22-cli-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "102.51.8.73"
}
}
}
]
}
This policy grants permission to all S3 actions ("s3:*") on the devops22-cli-bucket for the IP address 102.51.8.73.
Apply the policy.json Using AWS CLI
To apply this policy to your S3 bucket, execute the following command in your terminal:
aws s3api put-bucket-policy --bucket devops22-cli-bucket --policy file://policy.json
This command applies the policy defined in policy.json to the devops22-cli-bucket.
Step 2: Create and Apply the domain_policy.json File
Next, let's create a policy that limits access to .jpg images in the S3 bucket, allowing requests only from a specific domain. This is particularly useful if you want to limit access to certain resources based on the referring domain.
domain_policy.json
{
"Version": "2012-10-17",
"Id": "Allow cloudntaivebasecamp.com to access the images",
"Statement": [
{
"Sid": "Allow only GET requests originating from specific domain",
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::devops22-cli-bucket/*.jpg",
"Condition": {
"StringLike": { "aws:Referer": ["https://example.com/*"] }
}
}
]
}
This policy allows GET requests for .jpg files within the devops22-cli-bucket only from the domain example.com.
Apply the domain_policy.json Using AWS CLI
To apply this domain-based policy, use the following command:
aws s3api put-bucket-policy --bucket devops22-cli-bucket --policy file://domain_policy.json
Conclusion
By using the AWS CLI, you can easily apply bucket policies that control access to your S3 resources. In this article, we covered two examples:
- A policy allowing access from a specific IP address.
- A policy restricting access to certain resources from a specific domain.
These are just two examples of how you can fine-tune your access control policies using S3's flexible policy system. Feel free to adapt these examples to meet the security requirements of your own environment.
Happy coding! 🚀
Top comments (0)