Difference between revisions of "AWS/S3 Bucket Policies"
< AWS
Jump to navigation
Jump to search
(Created page with "= Working with JSON = Download Notepad++ plugin [http://sourceforge.net/projects/nppjsonviewer/ nppjsonviewer]. Install the plugin by just dropping the DLL in the plugin folde...") |
|||
| Line 4: | Line 4: | ||
Plugin shows the JSON in a tree format in a separate frame, it also formats JSON in a readable format in the main Notepad++ window. To format a JSON string, paste it into Notepad++ and select it. Then go to <tt>Plugins > JSON Viewer > '''Format JSON''' [Ctrl+Alt+Shift+M]</tt> and it should instantly format it for you, then choose <tt>'''Show JSON Viewer''' [Ctrl+Alt+Shift+J]</tt> | Plugin shows the JSON in a tree format in a separate frame, it also formats JSON in a readable format in the main Notepad++ window. To format a JSON string, paste it into Notepad++ and select it. Then go to <tt>Plugins > JSON Viewer > '''Format JSON''' [Ctrl+Alt+Shift+M]</tt> and it should instantly format it for you, then choose <tt>'''Show JSON Viewer''' [Ctrl+Alt+Shift+J]</tt> | ||
= | = Policy Examples = | ||
== Read-only access to certain S3 buckets == | |||
A sample AWS IAM json policy file with read-only access to certain S3 buckets. Formatted by JSON Viewer in NP++ | A sample AWS IAM json policy file with read-only access to certain S3 buckets. Formatted by JSON Viewer in NP++ | ||
| Line 32: | Line 33: | ||
} | } | ||
}] | }] | ||
} | |||
== Limited access to users named buckets == | |||
This policy structure can be used when you want to have someone to administrate one of groups where you have your clients to upload their files that are too big for an email. In this case you can create following three groups: | |||
*'''admins''' - full account administration access to a console and API | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement": [ | |||
{ | |||
"Effect": "Allow", | |||
"Action": "*", | |||
"Resource": "*" | |||
} | |||
] | |||
} | |||
*'''bucketsadmins''' -these users have a full console & API user management access on '''bucketusers''' group and full access to S3 within AWS account | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement": [ | |||
{ | |||
"Sid": "AllowUsersToPerformUserActions", | |||
"Effect": "Allow", | |||
"Action": [ | |||
"iam:*User", | |||
"iam:ListUsers", | |||
"iam:ListGroups", | |||
"iam:*UserPolicy", | |||
"iam:ListGroupsForUser", | |||
"iam:ListUserPolicies", | |||
"iam:*LoginProfile", | |||
"iam:*AccessKey*", | |||
"iam:*SigningCertificate*", | |||
"iam:*MFADevice*" | |||
], | |||
"Resource": [ | |||
"arn:aws:iam::account-id-without-hyphens:user/*", | |||
"arn:aws:iam::account-id-without-hyphens:group/*" | |||
] | |||
}, | |||
{ | |||
"Sid": "AllowUsersToAddAndDeleteUserFromGroup", | |||
"Effect": "Allow", | |||
"Action": [ | |||
"iam:RemoveUserFromGroup", | |||
"iam:AddUserToGroup" | |||
], | |||
"Resource": [ | |||
"arn:aws:iam::account-id-without-hyphens:group/<span style="color: green">'''bucketusers'''</span>" | |||
] | |||
}, | |||
{ | |||
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard", | |||
"Effect": "Allow", | |||
"Action": [ | |||
"iam:GetAccount*", | |||
"iam:ListAccount*" | |||
], | |||
"Resource": [ | |||
"*" | |||
] | |||
}, | |||
{ | |||
"Sid": "S3FullAccess", | |||
"Effect": "Allow", | |||
"Action": "s3:*", | |||
"Resource": "*" | |||
} | |||
] | |||
} | |||
*'''bucketusers''' -users have full API access to their buckets named <span style="color: green">'''xyzcompany-</span>awsusername''' | |||
{ | |||
"Version": "2012-10-17", | |||
"Statement":[ | |||
{ | |||
"Effect":"Allow", | |||
"Action":[ | |||
"s3:ListAllMyBuckets" | |||
], | |||
"Resource":"arn:aws:s3:::*" | |||
}, | |||
{ | |||
"Effect":"Allow", | |||
"Action":[ | |||
"s3:ListBucket", | |||
"s3:GetBucketLocation" | |||
], | |||
"Resource":"arn:aws:s3:::<span style="color: green">xyzcompany-</span>${aws:username}" | |||
}, | |||
{ | |||
"Effect":"Allow", | |||
"Action":[ | |||
"s3:PutObject", | |||
"s3:GetObject", | |||
"s3:DeleteObject" | |||
], | |||
"Resource":"arn:aws:s3:::<span style="color: green">xyzcompany-</span>${aws:username}/*" | |||
} | |||
] | |||
} | } | ||
Revision as of 21:06, 27 April 2014
Working with JSON
Download Notepad++ plugin nppjsonviewer. Install the plugin by just dropping the DLL in the plugin folder. You can also use Plugin Manager bu going to Plugins > Plugin Manager > Show Plugin Manager > find JSON Viewer last current version 1.21.
Plugin shows the JSON in a tree format in a separate frame, it also formats JSON in a readable format in the main Notepad++ window. To format a JSON string, paste it into Notepad++ and select it. Then go to Plugins > JSON Viewer > Format JSON [Ctrl+Alt+Shift+M] and it should instantly format it for you, then choose Show JSON Viewer [Ctrl+Alt+Shift+J]
Policy Examples
Read-only access to certain S3 buckets
A sample AWS IAM json policy file with read-only access to certain S3 buckets. Formatted by JSON Viewer in NP++
{
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"],
"Resource": ["arn:aws:s3:::my_bucket/*",
"arn:aws:s3:::my_bucket"]
}],
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListBucket",
"s3:GetObject",
"s3:GetObjectVersion"],
"Resource": ["arn:aws:s3:::my_other_bucket/*",
"arn:aws:s3:::my_other_bucket"]
}],
"Statement": [{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "*",
"Condition": {
}
}]
}
Limited access to users named buckets
This policy structure can be used when you want to have someone to administrate one of groups where you have your clients to upload their files that are too big for an email. In this case you can create following three groups:
- admins - full account administration access to a console and API
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
- bucketsadmins -these users have a full console & API user management access on bucketusers group and full access to S3 within AWS account
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToPerformUserActions",
"Effect": "Allow",
"Action": [
"iam:*User",
"iam:ListUsers",
"iam:ListGroups",
"iam:*UserPolicy",
"iam:ListGroupsForUser",
"iam:ListUserPolicies",
"iam:*LoginProfile",
"iam:*AccessKey*",
"iam:*SigningCertificate*",
"iam:*MFADevice*"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:user/*",
"arn:aws:iam::account-id-without-hyphens:group/*"
]
},
{
"Sid": "AllowUsersToAddAndDeleteUserFromGroup",
"Effect": "Allow",
"Action": [
"iam:RemoveUserFromGroup",
"iam:AddUserToGroup"
],
"Resource": [
"arn:aws:iam::account-id-without-hyphens:group/bucketusers"
]
},
{
"Sid": "AllowUsersToSeeStatsOnIAMConsoleDashboard",
"Effect": "Allow",
"Action": [
"iam:GetAccount*",
"iam:ListAccount*"
],
"Resource": [
"*"
]
},
{
"Sid": "S3FullAccess",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
- bucketusers -users have full API access to their buckets named xyzcompany-awsusername
{
"Version": "2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:ListAllMyBuckets"
],
"Resource":"arn:aws:s3:::*"
},
{
"Effect":"Allow",
"Action":[
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource":"arn:aws:s3:::xyzcompany-${aws:username}"
},
{
"Effect":"Allow",
"Action":[
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource":"arn:aws:s3:::xyzcompany-${aws:username}/*"
}
]
}