Using bucket policies to control access to S3

As we covered previously, Amazon S3 bucket policies are a resource-based policy as the policy is directly attached the resource itself—in this case, the bucket. If you remember, resource-based policies have to have the additional parameter of Principal within the policy, so it knows which identity the permissions apply to.

We will see how to create a policy for an S3 bucket and how to apply this policy to a bucket. For this example, we have a bucket called awsbucketpolicy and we will add a bucket policy to this allowing user Lisa in a different AWS account to access the bucket. Now, previously, we looked at using roles to create cross-account access; however, for S3 resources it's also possible to emulate this cross-account access by using resource-based policies (bucket policies) and an identity-based policy attached to Lisa in the second account.

So, first, let’s create the bucket policy:

1. Once you have navigated to your bucket in S3, select it, and then click on the Permissions tab and select Bucket Policy, as in the following screenshot:

1. From here, we can either directly use the JSON editor provided to write the policy or, at the bottom of the screen, there is an option to use a policy generator. Now, this is a great tool if you are not confident with JSON or familiar enough with how to create policies from scratch. For those of you who are unfamiliar with the policy generator, refer to https://awspolicygen.s3.amazonaws.com/policygen.html.

It doesn’t just cater to S3 bucket policies; it can also be used to manage IAM policies, which we have already discussed (in addition to Simple Queue Service (SQS) Queue, SNS topics, and VPC endpoint policies, too).

1. Once you have created the policy using either the policy generator or by adding it directly into the JSON editor from the bucket, it will look as follows:

As you can see, this policy allows user Lisa from account 356903128354 to access all S3 API calls to the awsbucketpolicy bucket.

1. Now, we need to apply an identity-based policy to allow Lisa in account 356903128354 to access that bucket. The following policy is applied as follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "S3BucketAccess",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::awsbucketpolicy"
    }
  ]
}

As you can see, the S3 bucket doesn’t actually detail the account that created it. This is because each S3 bucket is globally unique, and the namespace is shared by all AWS accounts.

1. Now, both policies have been applied, and Lisa in account 356903128354 has full access to the awsbucketpolicy bucket, which is managed and administered by a different account.  

As this is a JSON policy, you can, of course, add conditional elements, such as the ones we discussed earlier in this chapter when discussing the policy structure, to add a greater level of control if required.

Bucket policies can be used to control access not only for other AWS accounts, as we saw in this example, but also within your own account as well. You simply need to enter the ARN of the user for your own account.