Edit S3 Bucket Policies

This guide will explain how to manage access to your buckets and files. Managing bucket policies makes it easy for you to define security rules that apply to more than one file, including all files or some files in a bucket. First, run S3 Browser on your computer.

Make sure you have added a Deka Box account to your S3, if not, press this link for further explanation. On the S3 Browser page press the Bucket button and select Edit Bucket Policy.

Default Policy

The Bucket Policy Editor window appears, it can be seen that currently the "test-bucket" bucket is given permission for anyone to be able to take action to retrieve objects and view the list of objects in the S3 bucket.

The following is an explanation of several elements used in the Bucket Policy Editor above.

• In the Effects section

If allowed, use the “Allow” command so that in the editor it is written like this: "Effect": "Allow". If it is not permitted, use the “Deny” command so that in the editor it is written like this: "Effect": "Deny".

• In the Principal section

In the image below the Principal section uses “*” which means anyone can access the “test-bucket” bucket. If you want to determine who the permitted users are then you need With ID. To find out the Con ID used, you can contact us.

• In the Action section

• In the Resources section

In this section, the bucket that will receive the actions allowed by the policy is defined.

Custom Bucket Policy

This section will explain several examples of customization used in Buckets.

Restrict Access to Certain IP Address

This policy is required if you want to restrict access to a bucket and whether it can be accessed from a specific IP address. So you can add the “Condition” line and include the IP Address range that can access the bucket.

{
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::your-bucket/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "192.0.2.0/24"
                }
            }
        }
    ]
}

Read and Write Access to Specific Users

This policy is required if you want to grant read and write permissions only to users on the Deka Box that access the S3 bucket. To be able to use this policy you need a Con ID used in the Principal section. The Con ID used by users who are allowed to access the bucket so you can contact the Cloudeka Team to find out the Con ID used.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::con-id:user/user-name"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::your-bucket/*"
        }
    ]
}

Deny Access for Specific Users

This policy is required if you want to ensure that certain users cannot access certain buckets. For example, if another registered user is not permitted to access the content in bucket-2 due to security reasons or organizational policy, this policy will prevent that user from taking any action against the bucket and the objects in it.

{
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/user-ke2"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::bucket-2",
                "arn:aws:s3:::bucket-2/*"
            ]
        }
    ]
}

Apply Bucket Policy

When you have finished configuring, press the Apply button to save the configuration that has been used.