In this guide we will describe S3 bucket policies, and how to generate and set a policy to an AWS S3 bucket.

Bucket policies define access rights for Amazon S3 resources. Only a bucket owner can write bucket policies. The S3 bucket policy enables you to set permissions such as “Allow/deny bucket-level permissions” and “Deny permission on any objects in the bucket”.

In addition to validating your S3 structure and policies, Newvem can help you determine the AWS storage policies that best suit your needs, including:

• Which Amazon S3 features are relevant for their usage, like Reduced Redundancy Storage (RRS), Versioning, and Object Expiration
• How to organize Amazon S3 buckets and objects to make Amazon S3 features usage easier and more effective
• The most adequate Amazon S3 configuration to support your storage policy
• How to validate that policies and configurations are compliant
• When it makes sense to archive Amazon S3 objects with Amazon Glacier – a low-cost storage service that provides secure and durable storage for data archiving and backup.

The policies themselves are written in JSON and use the access policy language. You can generate a policy using the Amazon S3 policy generator tool.

To grant permissions to a specific user, you need the canonical ID of that user. You can get the canonical ID from the AWS account.

1.  Enter your AWS account console.

2. Click Security Credentials and select Account Identifiers. Your AWS account ID and canonical ID are listed.

3.  Make note of  your canonical ID as marked above.

4.  Enter the AWS S3 console.

Newvem dashboard amplifies visibility and the cost breakdowns of your S3 footprint with drill downs from a consolidated view to the buckets’ structure and to object profiles. Learn More

5.  Select the bucket and select properties for that bucket. The permissions for that bucket are listed.

You add permissions to a grantee. A grantee can be an AWS account or one of the predefined Amazon S3 groups. You grant permission to an AWS account according to the email address or the canonical user ID.

The next steps describe how to generate a policy and apply it to an S3 bucket using the Add Bucket Policy link as marked above.

6. Go to the Amazon S3 policy generator tool and generate a new policy.

7.  Specify the principal. The principal is one or more people who receive or are denied permissions according to the policy. The principal must be specified using the principal’s AWS ID. Check the following examples:

       a.   To apply a policy to anonymous users,  set the principal:

“AWS”:”*”

       b.  To apply a policy to a few IAM users, set the principal:

“AWS”: ["arn:aws:iam::111122223333:root","arn:aws:iam::444455556666:root"]

       c.  If you want to apply policy to a specific account, use its canonical ID or account ID:

“Principal”:{ “CanonicalUser”:”79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be” }

8.  Specify the actions for which the principal will have control.  Once all data is selected, click Add Statement.

9.  The statement is added and displayed as shown below.

10.   Note that the policy is not yet generated. Click the Generate Policy button to display the policy.

11.  Copy the content of the new policy and add it to a bucket policy.

12.  Click Save to add the policy to the bucket.

13.  Click Edit Bucket policy and verify that the policy is listed.

You can either set permissions directly by selecting grantee as ‘everyone’ or ‘me’. If you want to specify specific permission for a selected AWS account ID, you can use policy to define permission according to the AWS accounts/canonical IDs.

Once your policy is in place, you can use Newvem Cloud Care to view the cost breakdowns of your S3 footprint, with drill downs from a consolidated view to the buckets’ structure and to object profiles.  Newvem S3 usage pattern analysis will help you reach an optimal balance between cost and availability.

Try Newvem Cloud Care for Free: