0
0
AWScloud~5 mins

Bucket policies for access control in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Sometimes you want to control who can see or change files in your cloud storage bucket. Bucket policies let you set rules to allow or block access to your bucket and its files.
When you want to let only certain people or apps read files from your bucket.
When you want to block public access to your bucket to keep files private.
When you want to allow another AWS account to upload files to your bucket.
When you want to restrict access to files based on IP address or time of day.
When you want to log who accessed your bucket for security tracking.
Config File - bucket-policy.json
bucket-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::example-bucket/*"]
    }
  ]
}

This JSON file is a bucket policy that allows anyone to read objects inside the bucket named example-bucket. The Effect key sets the rule to allow access. Principal set to * means everyone. Action specifies the allowed action, here reading objects. Resource points to all files inside the bucket.

Commands
This command applies the bucket policy from the file to the bucket named example-bucket. It sets the access rules you defined.
Terminal
aws s3api put-bucket-policy --bucket example-bucket --policy file://bucket-policy.json
Expected OutputExpected
No output (command runs silently)
--bucket - Specifies the bucket name to apply the policy to
--policy - Specifies the JSON file containing the bucket policy
This command retrieves and shows the current bucket policy for example-bucket so you can verify it was set correctly.
Terminal
aws s3api get-bucket-policy --bucket example-bucket
Expected OutputExpected
{ "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":\"*\",\"Action\":[\"s3:GetObject\"],\"Resource\":[\"arn:aws:s3:::example-bucket/*\"]}]}" }
--bucket - Specifies the bucket name to get the policy from
This command lists the files in the bucket to check that you can access the bucket contents as allowed by the policy.
Terminal
aws s3 ls s3://example-bucket/
Expected OutputExpected
2024-06-01 10:00:00 1234 example-file.txt 2024-06-01 10:05:00 5678 another-file.jpg
Key Concept

If you remember nothing else from this pattern, remember: bucket policies are JSON rules that control who can do what with your cloud storage bucket and its files.

Common Mistakes
Using the wrong ARN format in the Resource field
The policy won't apply correctly if the resource ARN does not match the bucket or objects you want to control.
Always use the correct ARN format: arn:aws:s3:::bucket-name/* for all objects in the bucket.
Setting Principal to * when you want to restrict access
This allows everyone access, which can expose your data publicly.
Specify the exact AWS account or user ARN in Principal to limit access.
Not applying the policy after creating the JSON file
The bucket will keep its old permissions and your new rules won't take effect.
Run the aws s3api put-bucket-policy command to apply the policy.
Summary
Create a JSON bucket policy file defining who can access your bucket and what actions they can perform.
Use the AWS CLI command to apply the bucket policy to your bucket.
Verify the policy is set by retrieving it and testing access to the bucket contents.