Hello EveryOne, In this blog I would like to explain AWS S3 Security with some real world examples.
Lets get started. Topics would be covered in this blog.
Etags and CheckSums
ACLs
Block Public Access
Bucket Policies
Real World Examples.
I have made a video on S3 Bucket policies,ACLs, Etags&Checksums ,Block public access using CLI.
Check it out if you are interested.
Etags and Check Sums
Etags
Etags are HTTP response headers that represents a resource that has changed or not without requiring to download the object.
Value of Etags are represented by MD5 hashing function if the object is not encrypted .
So Etags are useful if you want to check whether content in the object has changed or not, programatically or using CLI.
CheckSums
A checksum is a calculated value (hash) which is used to verify the integrity of data during transmission.
S3 Uses Checksums to verify data integrity of the files.
If the data is downloaded and manipulated or lost checksum determines it.
Algorithms like MD5, SHA-256, or CRC32 generate a checksum from the data in a file
Etags are for our reference and Checksums are for AWS reference whether or not the data in the Object has changed or not.
How to get the Etags for a Object in the Bucket.
aws s3api list-objects --bucket cloud-newbie.1023
The above command lists all the objects in the bucket cloudnewbie.1023 with some extra information which includes Etags aswell.
Etags uses checksum algorithms like MD5, SHA-256,SHA-1CRC32. By default AWS uses MD5 algo to generate checksum and Etag.
AWS does not allow us to change the Etag algorithm but it allows us to change checksum algo in that cases Etag and check sum wont be same .
How to get Checksum for a file
To get checksums for a file file1.txt type :
md5sum file1.txt // For md5 checksum
sha256sum file.txt // For sha256 checksum
crc32 file.txt // For crc32 checksum
Changing Checksum for a object while uploading
If i want to change the check sum algorithm to SHA256 i will use this command.
aws s3api put-object --bucket cloud-newbie.1023 --key file1.txt --body file1.txt \
--checksum-algorithm SHA256
Access Control Lists
ACLs are one of the oldest ways to manage access to resources in AWS S3.
ACLs are defined at two levels:
• Bucket-Level ACLs: Control access to the entire bucket.
• Object-Level ACLs: Control access to specific objects inside the bucket
Using ACLs we can give permissions to other AWS account users not for own account users.
You can define read or write permissions on both buckets and objects, depending on what you want to achieve. ACLs even provide permissions to read the bucket and object level ACLs.
Limitations of ACLs
Limited Permissions: Only basic actions like read and write; no granular control.
No Conditional Access: Cannot apply conditions like IP restrictions or time-based access.
Account-Specific: Only works for AWS account users, not roles or groups.
To enable ACLs first we have to turn off the object owner ship as enabling Object ownership doesn’t allow other users to access objects in the bucket.
If List Objects under Every one (Public access) is selected any one can list the objects in this bucket and read bucket ACL was selected every one can even read this bucket acls.
In the same way to access the object enable the Object ACls.
AWS it self recommends disable ACLs.
Block Public Access.
By default Public access to bucket and objects inside it will be blocked.
Block public access to buckets and objects granted through new access control lists (ACLs)
Blocks any new ACL which tries to grant buckets and any object in side it public. It doesn’t effect any old ACL which has already granted public permissions . It gives error when we try to make object/bucket public.
Block public access to buckets and objects granted through any access control lists (ACLs)
It ignores all ACLs new as well as old ACLs which granted public permissions. It does not give error it simply ignores.
- Block public access to buckets and objects granted through new public bucket or access point policies
Blocks new bucket policies/accesspoint policies which grants public permissions.
Block public and cross-account access to buckets and objects through any public bucket or access point policies
It ignores all Bucket Policies / access point policies new as well as old , which granted public permissions.
Bucket Policies
Using Bucket Policies unlike ACLs we can grant fine grained permissions to other on our buckets/objects.
1. A bucket policy is a JSON document attached to an S3 bucket that defines permissions for accessing the bucket and its objects.
It allows you to control access to the bucket/objects for AWS accounts, IAM users, or
external users.
What does Bucket Policy Contain?
Version:
The version defines the policy language’s format.
Always set it to "2012-10-17" (the latest version).
Statement:
The Statement block contains all the rules for the Policy. It’s an array, so you can have multiple rules.
Effect:
Specifies whether to allow or deny access.
• "Allow": Grants permissions.
• "Deny": Explicitly denies permissions (overrides any allow rules).
Principal:
Defines who can access the bucket.
"*": Everyone.
AWS account or IAM user: "arn:aws:iam::AccountID:kgf".
A specific role: "arn:aws:iam::AccountID:role/RoleName".
Action:
Specifies what actions are allowed or denied.
"s3:GetObject" allows downloading objects.
Use"s3:*"forallS3actions.
Bucket Policy Template
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow or Deny",
"Principal": "Who can access",
"Action": "What actions are allowed or denied",
"Resource": "Which bucket or objects",
"Condition": "Optional - Under what conditions access is granted/denied"
}
]
}
Real World Examples
- Write a bucket policy that allows only one user and denies every user to access bucket and its objects.
Lets take help of policy generator to create bucket policies.
Now our goal is to allow only one user to access the objects/bucket for that we have to create user.
Now lets create user called KGF .
aws iam create-user --user-name KGF
Now this arn is our principal and actions are lets just give GetObject and List Bucket Permissions.
So that this user wlil be having a permission to list objects in the bucket and down load any specified object in the bucket.
Now ARN(resource) is Bucket ARN .
Now the entire policy looks like —>
{
"Id": "Policy1735223521529",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1735223519830",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::cloud-newbie.1023","arn:aws:s3:::cloud-newbie.1023/*"],
"Principal": {
"AWS": [
"arn:aws:iam::12345678910:user/KGF"
]
}
}
]
}
Now if this policy is attached to cloudnewbie.1023 bucket then KGF user will be able to access the bucket and objects.
But to run aws commands on behalf of KGF user then this must have access id and secretkey.
Generate Access Id and Secret access key
aws iam create-access-key --user-name KGF
After executing this, now KGF user will be able to run aws commands.
If I run aws s3 ls command as root user aswell as a KGF user I got response.
Why root user was able to get the objects in the bucket?
Here is where we have to understand relation between IAM policy and Bucket Policy
IAM Policy v/s Bucket Policy
If any user is having IAM permissions on S3 unless the bucket policy denies this user to access, the users will be having access to bucket/objects.
Though if a user doesn’t have IAM permissions to access the S3, if bucket policy explicitly grants then the user will have access to bucket/objects like in this case. Even though user KGF didn’t have any permissions on S3, bucket policy grants it so user was able to access.
If user tries to perform any other s3 command other than get object and list bucket , user will be denied as users lacks IAM permissions.
Now how do we allow only KGF user to access?
Lets Deny every one and allow only KGF user . ❗❗❗
How to write policy like this lets take help from policy generator.
This denies every one but we have to allow KGF user right.
For this we have to use conditions .
If username not equals to KGF then access will be denied.
Whole policy looks like —→
{
"Id": "Policy1735223521529",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1735223519830",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Deny",
"Resource": ["arn:aws:s3:::cloud-newbie.1023","arn:aws:s3:::cloud-newbie.1023/*"],
"Condition": {
"StringNotEquals": {
"aws:username": "KGF"
}
},
"Principal": {
"AWS": [
"*"
]
}
}
]
}
If username not equals to KGF then condition becomes true deny will be applied , if username equals to KGF condition becomes false and policy wont be applied. So user KGF will able to execute getobject command on S3.
If I try to execute as a root user—>
Bucket policy denied. 👌👌
If I try to execute as a KGF user—>
This is because in the bucket policy we denied all users except user KGF but this user didn’t have any IAM permissions on S3.So it was denied.
Lets give IAM policy to user KGF.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1735188898742",
"Action": [
"s3:*"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::cloud-newbie.1023"
}
]
}
This is how IAM policy looks like it gives all permissions on s3.
Create Policy & Attach Policy
Now when I try to access the bucket as root user and KGF user.
Now you might be able to understand relation between IAM and bucket Policies.
Thanks for reading my article . If you find anything incorrect please let me know.
Have a great day 🎉🎉🎉.