Set ACL and Policy on S3 storage with aws cli

How ACL looks like

How Policy looks like

How to open a file for download
How to make a file in a bucket public
How to hide a directory
How to allow requests from a single IP
How to allow requests from a particular site
How to list a bucket
Grant a user access to a bucket

ACL

Access Control List is a list of permissions that specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Note that the Storage owner is responsible for configuring and managing the ACL.

To manage our S3 storage, you can use the commands from the awscli documentation.

How ACL looks like

The command to configure the ACL is as follows:

aws s3api put-object-acl --bucket my_bucket --key cat.jpg --acl public-read --endpoint-url=https://s-ed1.cloud.gcore.lu

Here is an example of setting a public acl (--acl public-read --) on a specific object (cat.jpg) in the bucket (my_bucket).

After applying the command, this object will be available to anyone by https://s-ed1.cloud.gcore.lu/my_bucket/cat.jpg

ACL on objects allows you to configure a wide range of actions:

Actions	Description
--public-read--	To set a public ACL on an object.
--private--	To set a private ACL on an object.
--grant-full-control (string)	To grant full access to bucket management and regulation.
--grant-read (string)	To allow listing objects in a bucket.
--grant-read-acp (string)	To allow reading the ACL.
--grant-write (string)	To allow recording, overwriting, and deleting objects.
--grant-write-acp (string)	To allow writing ACLs.

Policy

For a more detailed configuration of access rights to files and buckets, use the policy.

Use it to regulate not only certain actions but also access specific directories in the bucket for specific users/groups/sources.

To create a policy, use the json format.

The maximum request size is 20 KB.

How Policy looks like?

The json file specifies valid actions for files or buckets, for more accurate request management, the actions can be supplemented with conditions.

Note! All the necessary actions, conditions, resource types are described in the official documentation.

Here is the example of an access policy that denies all users access to an operation ("s3:GetObject") in the bucket directory ("Resource": arn:aws:s3::: my_bucket/secret/*"), but allows access to the bucket ("Resource": "arn:aws:s3:::my_bucket/*"), which is one level higher.

{
"Statement": [
 {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*"
 },
 {
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/secret/*"
 }
             ]
}

After the json file is created, the access policy is applied to the file or bucket.

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

Examples of ACL and Policy requests

How to open a file for download

Here is the example of setting a public acl (--acl public-read --) on a specific object (cat.jpg) in the bucket (my_bucket):

aws s3api put-object-acl --bucket my_bucket --key cat.jpg --acl public-read --endpoint-url=https://s-ed1.cloud.gcore.lu

After applying this command, the object cat.jpg will be available to anyone by https://s-ed1.cloud.gcore.lu/my_bucket/cat.jpg

How to make a file in a bucket public

Here is the example of a json file where access to objects is allowed for downloading ("Action": "s3:GetObject") for all ("Principal":"*") in the bucket ("Resource":"arn:aws: s3::: my_bucket/*").

Please, note! This access policy allows you to get files by direct link, but does not allow to list files in the bucket.

{ 
"Statement": [ 
 {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*"
 }
             ]
}

Applying the access policy to the bucket:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

How to hide a directory

Here is the example of a json file that denies all users access to the operation ("s3:GetObject") in the bucket directory ("Resource": arn:aws:s3::: my_bucket/secret/*"), but allows access to the bucket ("Resource": "arn:aws:s3:::my_bucket/*") as a whole:

{
"Version": "2012-10-17",
"Id": "S3PolicyId1", [
 { 
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*" 
 },
 { 
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/secret/*" 
 }
                     ]
}

Applying the access policy to the bucket:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

How to allow requests from a single IP

Here is the example of a json file that allows requests to the storage from the specified IP ("IPAddress": {"aws:sourceIP": "54.240.143.0/24"})

{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": 
 [
  {
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::",
"arn:aws:s3:::/*"
            ],
"Condition": 
    {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"}
    }
  }
 ]
}

Applying the access policy to the bucket:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

How to allow requests from a particular site

Here is the example of a json file that only allows referrers from sites specified in the access policy ("StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}):

{
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":
 [
  {
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect":"Allow",
"Principal":"*",
"Action":["s3:GetObject","s3:GetObjectVersion"],
"Resource":"arn:aws:s3:::/*",
"Condition":
     {
"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}
     }
   }
 ]
}

Applying the access policy to the bucket:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

How to list a bucket

Here is the example of a command that allows any anonymous users to list files in a bucket, but does not allow them to read/write these files.

aws s3api put-bucket-acl --bucket my_bucket --acl public-read --endpoint-url=https://s-ed1.cloud.gcore.lu

Grant a user access to a bucket

Here is an example of a json file that grants a user access to a bucket.

4702-test is a storage name in your personal account.
my_bucket is a bucket to which access is granted.

{ 
"Version":"2012-10-17", 
"Statement":[ 
  { 
"Effect":"Allow", 
"Principal": {"AWS":["arn:aws:iam:::user/4702-test"]}, 
"Action":["s3:GetObject","s3:ListBucket"], 
"Resource":["arn:aws:s3:::my_bucket/*", "arn:aws:s3:::my_bucket"] 
  } 
            ] 
}

Applying the access policy to the bucket:

aws s3api put-bucket-policy --policy file://policy.json --endpoint-url=https://s-ed1.cloud.gcore.lu --bucket my_bucket

Was this article helpful?