Cloudeka
  • Service Portal Cloudeka
  • Introduction
    • Sign Up
    • Sign In
    • Sign Out
    • Forgot Password
    • Project
      • Create a New Project
      • List Service
      • Delete Project
    • Profile Setting
    • Organization
      • Manage Role Organization
      • Setting Organization
    • Check Audit Log
    • Broadcast
    • Voucher
      • Voucher Trial
      • Voucher Credit
      • Voucher Discount
  • Deka Flexi
    • Deka Flexi: Instance
      • Introduction
      • Machine Type
      • Operating Systems
      • Server Group
        • Create Server Group
        • Detail Server Group
        • Delete Server Group
      • Create a VM Instance
      • Details Instance
        • Reboot Instance
        • Resize Instance
        • Resize Root Disk
        • Attach Interface
        • Detach Interface
      • Connect to VM Instance
        • Connect to VM Instance via Cloudeka Portal
        • Connect to Windows VM Instance via RDP (Remote Desktop)
        • Connect to Linux VM Instance via SSH
        • Connect to Linux VM Instance via SSH Key
      • Create SSH Keys
      • Delete VM Instance
    • Deka Volume: Storage
      • Creating & Attching a Storage or Disk
      • Formatting a Disk
        • Formatting & mounting a disk on Windows
        • Formating & mounting a disk on Linux
      • Increase Storage
      • Delete Storage
    • Deka Volume: Images
      • Snapshot
        • Take a Snapshot for Instance
        • Restore a snapshot for Instance
        • Delete a snapshot for Instance
        • Take a snapshot for Storage
        • Delete a snapshot for Storage
      • Backups
      • Custom Image
    • Deka Flexi: Network
      • VPC Network
        • Create VPC Network
        • Edit VPC Network
        • Add/EditPort
        • Delete Port
        • Add/Edit Subnet
        • Delete Subnet
        • Delete VPC Network
      • Floating IP
        • Assign Floating IP
        • Unassign Floating IP
        • Reassign Floating IP
        • Delete Floating IP
    • Deka Flexi: Security
      • Security Firewall Rule
      • Edit Security Firewall Rule
      • Delete Security Firewall Rule
    • Deka SLB
      • Create Load Balancer
      • Configuration Deka SLB
      • Delete Load Balancer
      • Example Use Case
    • Deka VPN
      • Create VPN
      • OpenVPN Configuration
        • Create OpenVPN
        • Add OpenVPN User
        • Edit OpenVPN User Configuration
        • Download OpenVPN
        • Install OpenVPN on Windows
        • Install OpenVPN on MacOS
        • Connection with OpenVPN
        • Delete OpenVPN User
        • Delete OpenVPN
      • IPsec Configuration
        • Create IPsec
        • Connect IPsec
        • View Pre Shared Key
        • Disconnect IPsec
        • Delete IPsec
      • Remote Instance using Putty
      • Delete VPN
    • NAT Gateway
      • Create NAT Gateway
      • Configuration NAT Gateway
        • Add Floating IP
        • Delete Floating IP
        • Add Static Route
        • Delete Static Route
        • Add NAT
        • Delete NAT
      • Remote Instance
        • Create VPC Expert
        • Create Instance
        • Floating IP Configuration
        • Virtual Machine Access Internet
        • Remote Virtual Machine using Computer Terminal
      • Remote Putty
        • Create VPC
        • Configuration Interface
        • Configuration NAT Gateway
        • Configuration Firewall
        • Remote Instance using Putty
      • Delete NAT Gateway
    • Deka Agent
      • Install Deka Agent on Linux
      • Detail Deka Agent
        • Quick CPU / Mem / Disk
        • Basic CPU/ Mem/ NET/ Disk
        • Memory Meminfo
        • Memory Vmstat
        • System Timesync
        • System Processes
        • System Misc
        • Hardware Misc
        • Systemd
        • Storage Disk
        • Storage Filesystem
        • Network Traffic
        • Network Sockstat
        • Network Netstat
        • Node Exporter
      • Export to PDF
      • Monitoring Deka Agent
    • Deka GLB
      • Create Deka GLB
      • Configuration Deka GLB
      • Delete Deka GLB
      • Example Use Case
  • Deka Prime
    • Introduction
    • NSX-T & NSX-V
    • Delete Project
    • Menu Instance
      • Create New Instance
      • Access Console Instance
      • Power On Instance
      • Power Off Instance
      • Detail Instance
      • Configuration NICs
      • Configuration Guest OS
    • Menu Network
      • Create Routed Network
      • Create Isolated Network
      • Edit Network
      • Delete Network
    • Menu Security
      • Firewall
      • NAT
      • Routing
      • IP Set
    • Menu Catalog
    • Configuration Deka Flexi
  • Storage
    • Deka Box
      • Create Deka Box
      • Overview Deka Box
      • Resize Deka Box
      • Managing Deka Box Access Key
      • Access Deka Box using S3 Browser
      • Upload files and folders in S3
      • Enable versioning in S3
      • Create Static Web in S3
      • Delete Deka Box
      • Bucket and Group Access Policies
        • Specify permissions
        • Edit S3 Bucket Policies
    • Deka NFS
      • Create Deka NFS
      • Detail Deka NFS
      • Mount Deka NFS in Instance
      • Unmount Deka NFS in Instance
      • Delete Deka NFS
  • Network
    • Deka CDN
      • Create CDN
      • Location Configuration CDN
      • Configuration CDN via Editor
      • Deploy CDN
      • Renewal SSL
      • Delete CDN
    • Deka DNS
      • Create DNS
      • Setting DNS Management
      • Delete DNS
  • Platform
    • Deka Dbaas
      • Create Data Store
      • Data Store Detail
      • Delete Data Store
      • Database Access Using Other Apps
    • Deka Rock
      • Create Deka ROCK
      • Detail Deka ROCK
      • Machine Set
      • Security Group
      • Maintenance Windows
      • Open Console with Openshift
      • Installing CLI (oc) on Computer
      • Destroy Cluster Deka ROCK
    • Deka Harbor
      • Create Deka Harbor
      • Detail Deka Harbor
      • Configuration Worker
      • Configuration Load Balancer
      • Configuration Inbound Rule
      • Kubernetes Dashboard
      • Delete Deka Harbor
  • Security
    • Deka AST
      • Create Project
      • Scan Project
      • Change Setting Project
      • SAST
      • SAST Issue
      • SAST: Measure Code
      • SAST: Custom Rule
      • SAST: Security Detector
      • SCA
      • Secret Key
      • Repo Missconfiguration
      • Scan Validation AppSec
      • Dynamic Security
      • Integration
      • Report
      • Delete Project
    • Deka SSL
      • Create Deka SSL
      • Download Key SSL
      • Renewal SSL
      • Import SSL
      • Delete SSL
  • CI/CD
    • Deka Registry
      • Create Deka Registry
      • Summary
      • Repositories
      • Logs
      • Labels
      • Tag
      • Member
      • Push
      • Resize
      • Delete Deka Registry
  • Software
    • Deka POP
  • Monitoring
    • Alerting
      • Create Alert
      • Edit Alert
      • Delete Alert
      • Alerting Tes Implementation
    • Deka Agent
  • Support
    • Support Ticketing
      • Create Ticket
      • Ticket Details
    • Deka Manage Service
      • Bought a Manage Service Package
      • Downgrage/Upgrade Package
      • Unsubscribe Package
  • Billing
    • Check Billing
    • Balance
      • Billing Payment type Postpaid Project
      • Billing Payment type Prepaid Project
  • Miscellaneous
    • NTP Server
    • Starter Guide Deka Flexi
    • How to Sync Local and Remote Directories with Rsync
  • Deka GPU
  • Software as a Service
    • Deka Drive
      • Log In
      • Log Out
      • File Configuration
      • File Controls
      • Activity Menu
      • Personal Setting
      • Connect to Deka Drive via Dekstop
      • Connect to Deka Drive via Mobile
Powered by GitBook
On this page

Bucket and Group Access Policies

The Deka Box service in the Cloudeka Service Portal uses the Amazon Web Services (AWS) policy language to provide access control for S3 tenants to buckets and the objects in them. This system implements a portion of the S3 REST API policy language. Access policies for the S3 API are written in JSON format, making it easier for users to manage permissions and access rights in a structured and detailed manner according to security and data management needs in a distributed storage environment. There are two types of access policies that can be implemented:

  1. Bucket policy configured using the S3 API operations GET Bucket policy, PUT Bucket policy, and DELETE Bucket policy. Bucket policies are attached to buckets, so they are configured to control access by users in the bucket owner's account or other accounts to the bucket and the objects within it. A bucket policy applies to only one bucket and possibly multiple groups.

  2. Group policy configured using the Tenant Manager or Tenant Manager API. Group policies are attached to groups within an account, so they are configured to allow those groups to access certain resources owned by that account. A group policy only applies to one group and possibly multiple buckets.

Each policy contains a series of policy statements, and each statement contains the following elements:

  1. Statement ID is an optional element used to assign a unique identifier to each statement in the policy. Making it easier for you to track and reference when managing complex policies. Example of using SID in the editor: "Sid": "Statement1"

  2. Effect, used to determine whether the actions specified in the policy are permitted or denied. If allowed, use the "Allow" command, while if denied, use "Deny". Example of using Effect in the editor: "Effect": "Allow"

  3. Principal/NotPrincipal, is used to determine which users are allowed to perform the actions mentioned in the policy. The value on Principal "*" allows access to all users (public) and the name of the user who is allowed to access the resource. To identify users on Principal requires a Canonical User ID (Con ID) and you can contact us to find out the Con ID used. Meanwhile on NotPrincipal is the opposite of Principal. This indicates entities that are not authorized to access the resource. Used when you want to exclude certain entities from a permissions policy. The following is an example of using Principal and NotPrincial:

a. Principal: "Principal": "*"

b. NotPrincipal: "NotPrincipal": { "AWS": "arn:aws:iam::123456789012:user/specificUser"

  1. Resource/NotResource. Resource used to determine the resources that will be protected by the policy that will be created. You must use an ARN (Amazon Resource Name) or use an appropriate format to refer to the bucket. NotResource used to exclude certain resources from the policy to be saved. The following is an example of using Resource and NotResource:

a. Resource: "Resource": "arn:aws:s3:::my-bucket"

b. NotResource: "NotResource": "arn:aws:s3:::my-bucket/private/*"

  1. Action/NotAction. Action used to define specific actions that are permitted or denied by the policy. These actions are generally as follows "s3:GetObject" is used to get the object, "s3:PutObject" is used to upload the object to the bucket, and "s3:ListBucket" is used to view the list of objects in the bucket. NotAction used to exclude certain actions from a given policy permission. This action is generally as follows "s3:DeleteObject" is used to delete an object. The following is an example of using Resource and NotResource:

a. Action: "Action": ["s3:GetObject", "s3:ListBucket"]

b. NotAction: "NotAction": "s3:DeleteObject"

  1. Condition (optional) is an optional element that allows you to create policies to determine when a policy should be applied.

The following example shows a complete bucket policy statement that uses the "Allow" Effect to provide Principal, admin group, federated-group/admin and finance group federated-group/finance, permission to perform the Action s3:ListBucketon the named bucket mybucket and Action s3:GetObject on all objects in the bucket.

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::27233906934684427525:federated-group/admin",
          "arn:aws:iam::27233906934684427525:federated-group/finance"
        ]
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:iam:s3:::mybucket",
        "arn:aws:iam:s3:::mybucket/*"
      ]
    }
  ]
}
PreviousDelete Deka BoxNextSpecify permissions

Last updated 29 days ago

Page cover image