In the previous blog, we learned about IAM policies in AWS. We can use IAM policies to manage access for different users for the S3 bucket. Life is not that simple. With S3, we have Bucket policies and Bucket Access Control Lists ( hereafter referred to as ACLs), which also can be used to manage access to S3 buckets. Let us understand the difference between IAM policies versus S3 Policies and S3 ACLs and when you should use what.
IAM Policies
IAM policies specify which actions are allowed or denied on AWS services/resources for a particular user. For example, user Tom can read files from the “Production” bucket but write files in the “Dev” bucket, whereas user Jerry can have admin access to S3.
We can attach IAM policies to users, groups, or roles. These users or roles can perform AWS operations depending on permission by AWS policy.
Below is a sample policy that allows reading access to the s3 bucket “test-sample-bucket.” Any user group or role with the below policy attached will be able to read data from this bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:GetObjectVersion"],
"Resource": "arn:aws:s3:::test-sample-bucket"
}
]
}S3 Bucket Policies
With the S3 bucket policy, you can specify which actions are allowed or denied on that bucket for some users. In the context of S3 bucket policies, the user is called the principal. The principal can be an IAM user or an AWS root account. That means you can grant access to another AWS account in which your AWS S3 bucket is created.
S3 bucket policies can be attached to only S3 buckets. You can use them with any other AWS user or service. Below is a sample S3 bucket policy that grants the root user of the AWS account with ID 112233445566 and the user named Tom full access to the S3 bucket.
{
"Id": "Policy1586088133829",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1586088060284",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::test-sample-bucket",
"Principal": {
"AWS": [
"arn:aws:iam::112233445566:root",
"arn:aws:iam::112233445566:user/Tom"
]
}
}
]
}Note the “Principal” statement in the S3 bucket policy. The principal has a list of users who have access to this bucket. In the case of IAM policies, “Principal” is not necessary as this is derived from the user, group, or role to which IAM policy is assigned.
In the case of IAM policies, mentioning “Principal” is not necessary as this is derived from the user or group or role to which IAM policy is assigned.
AWS Facts
If you want to try and play around to create S3 bucket policies, then AWS has provided a policy generator. You can try out creating policies for different scenarios.
S3 Bucket ACL
S3 ACLs are the old way of managing access to buckets. AWS recommends the use of IAM or Bucket policies. However, there are still use cases where ACLs give flexibility over policies. That is one of the reasons ACLs are still not deprecated or will be deprecated any time soon.
The most significant advantage of using ACL is that you can control the access level of buckets and an object using it. Whereas IAM or Bucket Policies can only be attached to buckets but not to objects in the bucket, Bucket ACLs can be assigned to buckets and objects in it.
This means you have a lot of flexibility and control over your S3 resources. You can make some objects public in a private bucket or vice versa without any issue.
ACLs can have one of the following types of values.
| ACL | Applies to | Permissions added to ACL |
|---|---|---|
| bucket-owner-read | can be added to the Object | Object owner gets FULL_CONTROL. The bucket owner gets READ access. If you specify this canned ACL when creating a bucket, Amazon S3 ignores it. |
| bucket-owner-full-control | can be added to the Object | Both the object owner and the bucket owner get FULL_CONTROL over the object. If you specify this canned ACL when creating a bucket, Amazon S3 ignores it. |
| log-delivery-write | can be added to the Object | The LogDelivery group gets WRITE and READ_ACP permissions on the bucket. |
| private | can be added to Bucket and object | Owner gets FULL_CONTROL. No one else has access rights (default). |
| public-read | can be added to Bucket and object | Owner gets FULL_CONTROL. The AllUsers group gets READ access. |
| public-read-write | can be added to Bucket and object | The owner has FULL_CONTROL. The AllUsers group has READ and WRITE access. It is generally not recommended to grant this on a bucket. |
| aws-exec-read | can be added to Bucket and object | Owner gets FULL_CONTROL. Amazon EC2 gets READ access to GET an Amazon Machine Image (AMI) bundle from Amazon S3. |
| authenticated-read | can be added to Bucket and object | Owner gets FULL_CONTROL. The AuthenticatedUsers group gets READ access. |
IAM Policies VS S3 Policies VS S3 Bucket ACLs – what should I Use?
Now that we have understood the basics of IAM Policy, Bucket Policy, and Bucket ACLs, We can decide in which scenario we should use which type of access control. Below is a table that should help you decide what to use in your case.
| Criteria | IAM Policies | Bucket Policies | Bucket ACLs |
|---|---|---|---|
| AWS Recommendation | AWS recommends using IAM policies where you can. | You can use bucket policies as their simplest way compared to IAM policies. | Bucket ACLs are an older way of managing access to S3 buckets and generally are not recommended. |
| ease of use and maintenance | IAM policies are easy to maintain when you have a large number of users, and you frequently need to make changes to permission levels of users (i.e., user promoted or left the organization) | S3 policies are easy to create but become difficult to maintain when you have a lot of users or if you want to change the access level of some users. You might need to update bucket policies for all buckets if some users need more access to S3 buckets. | Similar to S3 bucket Policies, ACLs are challenging to maintain |
| Environment | IAM allows you to centrally manage all permissions to AWS which is easier | S3 policies are limited to the S3 environment only | S3 ACLs are limited to the S3 environment only |
| Object level control | IAM policies can only be attached to the root level of the bucket and cannot control object-level permissions. | Using ACL, you can control the access level of not only buckets but also of an object using it. | If you need to manage object-level permissions in S3, then you need to use Bucket ACLs |
| Use cases | IAM Policies can specify permission rules for other AWS Services/Resources | It can only be used with S3 | It can only be used with S3 |
Conclusion
I hope you have learned the difference between IAM policies, S3 policies, and S3 ACLs. You decide to use one of them, depending on your use case. If you have any questions, let me know. See you in the next blog. Cheers.