Bucket and Group Access Policies
The Deka Box service in the Cloudeka Service Portal uses the Amazon Web Services (AWS) policy language to provide access control for S3 tenants to buckets and the objects in them. This system implements a portion of the S3 REST API policy language. Access policies for the S3 API are written in JSON format, making it easier for users to manage permissions and access rights in a structured and detailed manner according to security and data management needs in a distributed storage environment. There are two types of access policies that can be implemented:
Bucket policy configured using the S3 API operations GET Bucket policy, PUT Bucket policy, and DELETE Bucket policy. Bucket policies are attached to buckets, so they are configured to control access by users in the bucket owner's account or other accounts to the bucket and the objects within it. A bucket policy applies to only one bucket and possibly multiple groups.
Group policy configured using the Tenant Manager or Tenant Manager API. Group policies are attached to groups within an account, so they are configured to allow those groups to access certain resources owned by that account. A group policy only applies to one group and possibly multiple buckets.
Each policy contains a series of policy statements, and each statement contains the following elements:
Statement ID is an optional element used to assign a unique identifier to each statement in the policy. Making it easier for you to track and reference when managing complex policies. Example of using SID in the editor: "Sid": "Statement1"
Effect, used to determine whether the actions specified in the policy are permitted or denied. If allowed, use the "Allow" command, while if denied, use "Deny". Example of using Effect in the editor: "Effect": "Allow"
Principal/NotPrincipal, is used to determine which users are allowed to perform the actions mentioned in the policy. The value on Principal "*" allows access to all users (public) and the name of the user who is allowed to access the resource. To identify users on Principal requires a Canonical User ID (Con ID) and you can contact us to find out the Con ID used. Meanwhile on NotPrincipal is the opposite of Principal. This indicates entities that are not authorized to access the resource. Used when you want to exclude certain entities from a permissions policy. The following is an example of using Principal and NotPrincial:
a. Principal: "Principal": "*"
b. NotPrincipal: "NotPrincipal": { "AWS": "arn:aws:iam::123456789012:user/specificUser"
Resource/NotResource. Resource used to determine the resources that will be protected by the policy that will be created. You must use an ARN (Amazon Resource Name) or use an appropriate format to refer to the bucket. NotResource used to exclude certain resources from the policy to be saved. The following is an example of using Resource and NotResource:
a. Resource: "Resource": "arn:aws:s3:::my-bucket"
b. NotResource: "NotResource": "arn:aws:s3:::my-bucket/private/*"
Action/NotAction. Action used to define specific actions that are permitted or denied by the policy. These actions are generally as follows "s3:GetObject" is used to get the object, "s3:PutObject" is used to upload the object to the bucket, and "s3:ListBucket" is used to view the list of objects in the bucket. NotAction used to exclude certain actions from a given policy permission. This action is generally as follows "s3:DeleteObject" is used to delete an object. The following is an example of using Resource and NotResource:
a. Action: "Action": ["s3:GetObject", "s3:ListBucket"]
b. NotAction: "NotAction": "s3:DeleteObject"
Condition (optional) is an optional element that allows you to create policies to determine when a policy should be applied.
The following example shows a complete bucket policy statement that uses the "Allow" Effect to provide Principal, admin group, federated-group/admin and finance group federated-group/finance, permission to perform the Action s3:ListBucketon the named bucket mybucket and Action s3:GetObject on all objects in the bucket.
Last updated