In the last experiment "IAM Strategy", we learned that some strategies can be assigned to IAM users, so that these users can only grant specific permissions to specific resources, and in the strategy, we can also dynamically control each item by means of variables. A strategy for IAM users. But in some scenarios, we need to grant permissions to certain resources. For example, if there is an S3 bucket, we want to share the objects in this bucket/bucket with a certain AWS account, or a certain AWS account. IAM users, in this case, we need to create resource-based policies.
The S3 bucket policy and IAM user policy look very similar, and both are defined through JSON. The difference is that in the S3 bucket policy, you need to specify the Principal (the account or user that is allowed to access the operations and resources in the statement. In the storage
In the bucket policy, the principal is the user, account, service, or other entity that is the access holder), while the IAM user policy is attached to the user and does not need to specify the Principal.
The following is an example of an S3 bucket policy:
{
"Version":"2012-10-17",
"Id":"ExamplePolicy01",
"Statement":[
{
"Sid":"ExampleStatement01",
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws-cn:iam::Account-ID:user/Dave"
},
"Action":[
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource":[
"arn:aws-cn:s3:::examplebucket/*",
"arn:aws-cn:s3:::examplebucket"
]
}
]
}
Let's do it through experiments.
Task1: Create an IAM policy
Create an IAM policy to make all objects in the S3 bucket public, so that anyone has permission to access the objects in the S3 bucket. By default, the objects in the S3 bucket are private and cannot be publicized, so We must first remove the strategy of prohibiting disclosure.
The operation is as follows: First find a bucket, such as this example awsdemo2018, and then in the "Permissions" interface, click "Public Access Settings"-"Manage Public Bucket Policies"--"Edit", uncheck Select "Block new public bucket policy" and "If the bucket has a public policy, block public and cross-account access", then save
Click "bucket policy" to add the s3:GetObject permission to the bucket. Note that the bucket specified in the Resource field in the policy must be the same as the current bucket name. The example strategy is as follows (awsdemo2018 is the name of the bucket for this experiment):
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal":"*",
"Action":[
"s3:GetObject"
],
"Resource":[
"arn:aws-cn:s3:::awsdemo2018/*"
]
}
]
}
After the save is successful, we can see a warning that the bucket has been made public
Then find a file in the current bucket, or upload a file to the current bucket, click the "link", you can access the object in the S3 bucket from anywhere on the Internet.
Under the current policy, anyone can access the objects in the bucket as long as they can get the link. If we want to implement anti-hotlinking functions when we are working on applications, such as only referencing pictures from the current website, but not from other websites, we can use the Condition function of the bucket policy to restrict the Referer of HTTP requests.
Example:
Upload an image, such as web.png, to the awsdemo2018 bucket. In addition, create another bucket: awstemp2018, and refer to the above steps and strategies to make this bucket public, create a new file test.html locally, the content of the file is as follows:
upload the test.html file to the bucket awstemp2018.
In the anti-hotlink design, we can set a bucket policy in the awsdemo2018 bucket, and only allow the request from https://s3.cn-north-1.amazonaws.com.cn/ to access this picture if requested If this referer is not included, an error will be reported. The specific operation is as follows:
In the awsdemo2018 bucket policy, add condition, set StringLike to aws:Referer, followed by the source station address, the example policy is as follows:
{
"Version":"2012-10-17",
"Id":"http referer policy example",
"Statement":[
{
"Sid":"Allow get requests originating from www.example.com and example.com.",
"Effect":"Allow",
"Principal":"*",
"Action":"s3:GetObject",
"Resource":"arn:aws-cn:s3:::awsdemo2018/*",
"Condition":{
"StringLike":{
"aws:Referer":"https://s3.cn-north-1.amazonaws.com.cn/*"
}
}
}
]
}
After saving the policy, we directly access the image web.png under the awsdemo2018 bucket, and we will encounter an Access Denied error.
But by loading the png image through the test.html webpage under the awstemp2018 bucket, you can successfully access it.
Analysis:
When we access the test.html file in the bucket awstemp2018 from the public network (the file link is: https://s3.cn-north-1.amazonaws.com.cn/awstemp2018/test.html), when , This file will load the image web.png located in the awsdemo2018 bucket, and will bring the referrer header when requesting. The value of the referer is the website where the current test.html is located: https://s3.cn-north-1. amazonaws.com.cn/, using the debug function, you can see that we set the Condition in the policy. This website is consistent with the Condition we set, so the image can be loaded. But when we directly access this picture, because there is no referer in the request, an error is reported.
In a production environment, we can set the referer as our own domain name, so that no one else can directly steal our files in the S3 bucket.
The S3 bucket policy also has many advanced functions, such as permission control based on the visitor's IP address, and authorization only for resources under a certain VPC. I hope that this experiment can draw inferences by analogy. For more information on this, please refer to: https://docs.aws.amazon.com/zh_cn/AmazonS3/latest/dev/example-bucket-policies.html
Detailed video tutorial reference: https://edu.51cto.com/center/course/lesson/index?id=533835)