Scalable S3 Fine Grain Access Control

Overview

  • Why we need AWS S3 fine grain access control
  • What are the available S3 IAM security features to support least privilege and separate duty
  • S3 FGAC in the context of AWS transfer for SFTP

Individual Level Data Access

We need fine grain access control to protect data, specific data would be used only for specific users, this is especially true for shared data sets for a centralized enterprise solution.

  • Subnet of data is shared across multiple apps
  • Subnet of data is scoped to a specific app only
  • Admin manages solution control plane only and no view on any data

S3 IAM Features

In terms of S3 access control, AWS provides rich features:

  • S3 access control lists (ACLs)
  • IAM Policy
  • Bucket Policy
  • S3 Access Point
  • S3 Access Point Alias
  • IAM Permission Boundary

S3 Access Points Examples

Combined IAM role, bucket policy and access point policy together, we can effectively lock down the access through access point and each application team has its own customized access point policy.

{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my account>:role/<my role>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<my bucket>/prefix/*",
"Condition": {
"StringEquals": {
"s3:DataAccessPointAccount": "<my account>"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my account>:role/<my role>"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:us-east-1:<my account>:accesspoint/<my access point>/object/<my prefix>/*"
}
]
}
Permission:{
"Version": "2012-10-17",
"Statement": {
"Action": [
"s3:GetAccessPoint",
"s3:ListAllMyBuckets",
"s3:ListAccessPoints",
"s3:ListBucket",
"s3:HeadBucket"
],
"Resource": "*",
"Effect": "Allow"
}
}
Trusted entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<other account>:root"
},
"Action": "sts:AssumeRole"
}
]
}
Permissions:
{
"Version": "2012-10-17",
"Statement": {
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<local account id>:role/S3AccessPointRole",
"Effect": "Allow"
}
}

S3 Access Point Validation

When accessing from bucket name, the access is denied.

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>H4G9X3Q2PQ...</RequestId>
<HostId>VtHp88d3gM0+NT1rmuTZ0XWu/UglwHKsBOIKn97KvIenxSoUUD3yJJUmZ+ce....</HostId>
</Error>

AWS Transfer and S3 Access Points

When you choose to use shared S3 for your AWS transfer service, instead of bucket name, you can use S3 access point alias in AWS transfer for SFTP user logical directory.

{ 
"Version": "2012-10-17",
"Statement" : [
{
"Effect": "Deny",
"Principal" : {
"*"
},
"Action": ["s3:PutObject","s3:DeleteObject"],
"Resource":"arn:aws:s3:region:123456789012:accesspoint/read-only-ap/object/*"
}
]
}
aws transfer create-user --server-id server-id --user-name ben --ssh-public-
key-body key --role role --home-directory-type LOGICAL --home-directory-mapping
‘[{"Entry": "/", "Target": "/bucket-name/external/ben"},
{"Entry": "/ben", "Target": "/bucket-name/external/ben"},
{"Entry": "/shared", "Target": "/read-only-ap-METADATA-s3alias/shared"}]’
aws transfer create-user — server-id <server-id> — user-name <username> — home-directory-type LOGICAL — home-directory-mappings Entry=’/’,Target=’/bucket/folder’ — role <iam-role-arn>
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid": "SetPermissionsBoundary",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy"
],
"Resource": "arn:aws:iam::<ACCOUNT_NUMBER>:role/MyTestApp*",
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary":
"arn:aws:iam::<ACCOUNT_NUMBER>:policy/<pre-defined-boundary>"}}
},
{
"Sid": "CreateAndEditPermissionsPolicy",
"Effect": "Allow",
"Action": [
"iam:CreatePolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion"
],
"Resource": "arn:aws:iam::<ACCOUNT_NUMBER>:policy/MyTestApp*"
}
]
}

References

https://aws.amazon.com/about-aws/whats-new/2021/07/amazon-s3-access-points-aliases-allow-application-requires-s3-bucket-name-easily-use-access-point/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Journey

Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer, focus on cloud networking, cloud security and API security.