Voiced by Amazon Polly |
Overview
In the previous part of this article, we have understood the Amazon Simple Storage Service (Amazon S3), which ‘restrict access to these folders using policies’ and ‘managing permissions’, and in this part of the article, we will learn ‘how to give federated users complete access to the files they own but restrict them from accessing the other folders.’
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Introduction
In this part of the article, we will learn how to create policies with folder-level permissions. We are experiencing a similar scenario to what many people have done with existing file shares. In this scenario, each AWS IAM Identity Center user can only access their home folder. Folder-level permissions allow you to control exactly who can access which objects within a particular bucket.
Mark’s Policy
Below, we can see Mark’s complete policy, which, via the console, will be connected to a federated user named ‘Mark’ in the AWS IAM Identity Center.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 |
{ “Version”:”2012-10-17”, “Statement”: [ { “Sid”: “AllowUserToSeeBucketListInTheConsole”, “Action”: [“s3:ListAllMyBuckets”, “s3:GetBucketLocation”], “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::*”] }, { “Sid”: “AllowRootAndHomeListingOfCompanyBucket”, “Action”: [“s3:ListBucket”], “Effect”: “Allow”, “Resource”: [“arn:aws:s3::: my-new-company-123456789”], “Condition”:{“StringEquals”:{“s3:prefix”:[“”,”home/”, “home/Mark”],”s3:delimiter”:[“/”]}} }, { “Sid”: “AllowListingOfUserFolder”, “Action”: [“s3:ListBucket”], “Effect”: “Allow”, “Resource”: [“arn:aws:s3:::my-new-company-123456789”], “Condition”:{“StringLike”:{“s3:prefix”:[“home/Mark/*”]}} }, { “Sid”: “AllowAllS3ActionsInUserFolder”, “Effect”: “Allow”, “Action”: [“s3:*”], “Resource”: [“arn:aws:s3:::my-new-company-123456789/home/Mark/*”] } ] } |
Step-by-Step Guide
- The preceding AWS IAM Policy should be copied and pasted into the inline policy editor. Use the JSON editor in this situation. See Creating AWS IAM policies for details on how to create policies.
2. Give your consent, choose a name and a description, and then select Next, leaving the other settings as they are.
3. Make sure you update the policies with the bucket name you previously created.
4. Once your permission set has been generated, choose Assign users or groups under AWS accounts in the left navigation pane.
5. Select our user “Mark” and choose Next.
6. We must select the permission set we created earlier, choose Next, leave the rest in the default settings, and choose Submit.
Now that the necessary permissions have been created and attached, Mark can view his Amazon S3 bucket folder but not the objects in other users’ folders. You can confirm this by logging in as Mark on the AWS access portal.
7. Select the AWS access portal URL by navigating to the Settings summary on the AWS IAM Identity Center dashboard.
8. We need to sign in as the user Mark with the one-time password you received earlier when creating Mark.
9. Open the Amazon S3 Management console.
10. Then, we need to search the Amazon S3 bucket created earlier.
11. Finally, we must navigate Mark’s folder to verify the user’s read and write access. If we navigate to other users’ folders, we will discover we don’t have access to the objects inside them.
Conclusion
In the second part of this blog, we went through the new policy setup. Then, we demonstrated the access writes of the user Mark and checked his read and write permissions. In the next part of the blog, we will be getting an understanding of each section of Mark’s folder. We will be discussing the access control and the part of managing policies with policy variables.
Drop a query if you have any questions regarding Amazon S3 and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.
To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.
FAQs
1. How much data can a user store in Amazon S3?
ANS: – You can store infinite items and data on Amazon S3. The size of a single Amazon S3 object might be as little as 0 bytes or as much as 5 TB. Five gigabytes is the biggest object that can be uploaded in a single PUT. It is recommended that clients use the multipart upload functionality for assets greater than 100 MB.
2. How reliable is Amazon S3?
ANS: – With an Amazon S3, you can access the same scalable, available, fast, and cost-effective data storage infrastructure that Amazon uses to power its global network of websites. The Amazon S3 Standard storage class is designed for 99.99% availability, and the Amazon S3 Standard-IA storage class, Amazon S3 Intelligent-Tiering storage class, and Amazon S3 Glacier Instant Retrieval storage class are designed for 99.9% availability. The Amazon S3 One storage class Zone-IA is designed for 99.5% availability, and the Amazon S3 Glacier Flexible Retrieval and Amazon S3 Glacier Deep Archive classes deliver 99.99% availability and a 99.9% SLA. The Amazon S3 Service Level Agreement supports all of these storage classes.
WRITTEN BY Guru Bhajan Singh
Guru Bhajan Singh is currently working as a Software Engineer - PHP at CloudThat and has 6+ years of experience in PHP. He holds a Master's degree in Computer Applications and enjoys coding, problem-solving, learning new things, and writing technical blogs.
Click to Comment