Amazon Web Services (AWS), makes it easy to set basic permissions for its Simple Storage Service buckets (S3) via the AWS console.
Sometimes, however you might need more control over bucket permissions than can be achieved with the basic permission checkboxes. You can create a bucket policy in these situations.
JSON files are the basis of Bucket policies. Although AWS documentation includes instructions for creating such policy files, it can be difficult to create one from scratch. You don’t have the need to. AWS offers a policy generator tool that allows you to create your policy.
Log in to AWS console and then go to the S3 service. Click on the bucket where you want to create policy files. A pop-up will appear once you click on the bucket. As shown in Figure 1, the pop-up lists bucket properties, permissions, and management attributes.
[Click on the image to see a larger view.] Figure 1: The popup lists the bucket’s properties and management attributes. The Copy BucketARN button, which appears in the blue section of this pop-up window just below the bucket name, is what you need to be aware of. The Amazon Resource Number is the ARN. It is basically a number that identifies a bucket.
Now, click on the button and close the pop-up window.
Go to the console’s services list and click on IAM. It is located in the Security, Identity, and Compliance section. Click on the Policies option in the console tree located on the left side. As shown in Figure 2, the screen will list all existing policies.
[Click on the image to see a larger version.] Figure 2: The Policies screen lists all existing policies. Next, click on the Create Policy button at the top of screen as shown in the figure. This will open the Create Policy console. Figure 3 shows that the console is divided into three sections: Policy Generator, Copy an AWS Managed policy, and Create Your own policy.
[Click on the image to see a larger view.] Figure 3: The console can be divided into three sections: Policy Generator, Policy Copy, and Policy Creation. Click the Select button in the Policy Generator section. This will take to the Edit Permissions screen. Figure 4. This is where you can set the attributes of the policy you are creating.
[Click on the image to see a larger version.] Figure 4: In the Edit permissions screen, you will need to enter your policy criteria. Understanding the interface in the figure is key to understanding how a policy files is made is important. A policy file can contain one statement, but it can include multiple statements. The elements in the previous figure can be used to create a statement. You will need to fill in the information and then click on the Add Statement button. You can create additional statements by repeating the process for each one. Once you are done, click the Next Step button.
A statement is made up of four elements. First, there’s the effect. The effect is what determines whether the statement will grant permission (Allow) and prevent an action (Deny).
AWS Service is the second element. This option allows you choose which service the statement will apply to. If you create a storage bucket policy, the AWS Service must be set to Amazon S3.
The action is the third attribute. In the case of an S3 bucket, some of the available actions include AbortMultiPartUpload, CreateBucket and DeleteBucket. Figure 5 will show you how to do this.