Module 5: IAM Permissions
You will learn how to delegate access control to access points.
Overview
To access your data in S3 through your Multi-Region Access Point, you need a user with permission to read and write objects to your new S3 buckets, or with permission to assume a role with access.
Assigning the AWS managed policy AmazonS3FullAccess permission to this user may be appropriate for a test account being used to complete this guide, and if you have this or AdministratorAccess you may wish to skip ahead to step 6.
Typically, it is more appropriate to use bucket and access point policies to provide more granular control. In this module, you will follow the recommended process to delegate access control to access points.
Time to complete
20 minutes
Implementation
5.1 - Configure a bucket to delegate permissions to access points
- In the AWS console, choose the arrow at the top right of the screen, and copy your 12- digit account number to a notepad (you will need this later).
- Navigate to the Amazon S3 console, in the left-hand navigation, choose Buckets and open it in a new tab. Then, select one of the buckets you previously created.
- In the Properties tab of the bucket, copy the ARN of the bucket to a notepad.
5.2 - Bucket policy
- In the Permissions tab of the bucket, scroll to the Bucket policy section, which will be blank. Select Edit.
- Copy and paste the following bucket policy, inserting your bucket ARN and Multi-Region Access Point ARN, as noted earlier from the access point properties, in the relevant sections (replacing the text inside the <angle brackets>).
- This policy allows all users access to the bucket and its contents, provided the access is via your new access point.
- Note: For an application or user to be able to access objects through an access point, both the access point and the underlying bucket must permit the request. With access control delegated to the access point, you will configure granular permissions there. Block public access still applies, therefore only authenticated access will be permitted.
- This policy allows all users access to the bucket and its contents, provided the access is via your new access point.
{
"Version": "2012-10-17",
"Statement" : [
{
"Effect": "Allow",
"Principal" : { "AWS": "*" },
"Action" : "*",
"Resource" : [
"<BucketARN>",
"<BucketARN>/*"
],
"Condition": {
"StringEquals" : { "s3:DataAccessPointArn" : "<MultiRegionAccessPoint_ARN>"}
}
}]
}
5.3 - Repeat for your other buckets
- Then, select Save changes.
- Repeat the previous steps to apply the policy template to all the other buckets you created for this guide, updating the bucket ARN accordingly for each.
5.4 - (Optional) Configure access point permissions
- If you wish to restrict access to your Multi-Region Access Point, follow this optional step.
- Switch back to the browser tab with your Multi-Region Access Point open. If you need to re-open this, in the Amazon S3 console, choose Multi-Region Access Points. Then, select the name of your Multi-Region Access Point to configure additional settings.
- Switch back to the browser tab with your Multi-Region Access Point open. If you need to re-open this, in the Amazon S3 console, choose Multi-Region Access Points. Then, select the name of your Multi-Region Access Point to configure additional settings.
- From the properties of your new Multi Region Access Point, select the Permissions tab and scroll to the Multi-Region Access Point policy section, which will be blank. Select Edit.
- Copy and paste the following bucket policy, inserting your account ID, user name, and Multi-Region Access Point ARN in the relevant sections (replacing the text inside the <angle brackets>). This policy example provides the named user with permission to use this access point to carry out all supported Amazon S3 operations.
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS":"arn:aws:iam::123456789012:user/JohnDoe"
},
"Action":[
"s3:ListBucket",
"s3:GetObject"
],
"Resource":[
"MultiRegionAccessPoint_ARN",
"MultiRegionAccessPoint_ARN/object/*"
]
}
]
}
- Then, select Save changes.
- For more information, see Multi-Region Access Points permissions.
- For more information, see Multi-Region Access Points permissions.
Conclusion
In this module, you learned how to delegate access control to access points.
You are now ready to use your Multi-Region Access Point to access data in your buckets.