-
How Do I Create a Lifecycle Policy for an S3 Bucket? - Amazon Simple Storage Service
September 22, 2017 at 10:14:20 AM GMT+2 - permalink -To apply this lifecycle rule to all objects in the bucket, choose Next.
That's why wildcard was not working :D
-
http://docs.aws.amazon.com/AmazonS3/latest/user-guide/create-lifecycle.html
-
Example 2: Bucket Owner Granting Cross-Account Bucket Permissions - Amazon Simple Storage Service
Donc pour autoriser un compte externe, on va lier une bucker policy sur notre bucket pour autoriser "id_du_compte:root" (on est obligé d'autoriser 'root', en fait ça veut dire qu'on autorise le compte en face mais on ne peut pas être plus précis à ce niveau là)June 12, 2017 at 8:48:42 AM GMT+2 * - permalink -
C'est le compte en face qui va décider qui a le droit de venir sur notre bucket avec des user policy standard (quand on est dans le contexte du compte en face, c'est comme si le bucket nous appartenait)
Exemple bucket policy à mettre sur le BUCKET de l'account A pour autoriser l'account xxx en RW
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow account_xx on aws account xxx RW",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::OTHER_ACCOUNT_ID:root"
},
"Action": ["s3:GetBucketLocation", "s3:ListBucket"],
"Resource": "arn:aws:s3:::BUCKET"
},
{
"Sid": "Allow account_xx on aws account xxx RW",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::OTHER_ACCOUNT_ID:root"
},
"Action": [
"s3:*"
],
"Resource": "arn:aws:s3:::BUCKET/*"
}
]
}
Pour Read only, remplacer action du deuxieme bloc par "Action": ["s3:Get*","s3:List*"],
-
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html
-
![thumbnail]()
IAM Policies and Bucket Policies and ACLs! Oh, My! (Controlling Access to S3 Resources) | AWS Security Blog
March 24, 2017 at 12:24:51 PM GMT+1 - permalink -Easy one?
Not even close
-
https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
-
![thumbnail]()
Writing IAM Policies: How to Grant Access to an Amazon S3 Bucket | AWS Security Blog
March 15, 2017 at 11:00:52 AM GMT+1 - permalink -Don't give s3 full access policy to your app user
Prefer to allow access only for specific bucketI wonder what's the best choice : create managed policy or simply use inline policy. I got a 1 to 1 relationship between my app-users and bucket so... inline policy looks good here
-
https://aws.amazon.com/blogs/security/writing-iam-policies-how-to-grant-access-to-an-amazon-s3-bucket/
-
Note: How to know which policy contains a specific action?
February 22, 2017 at 4:16:06 PM GMT+1 - permalink -Warning : this loop does a lot of call to aws api, use it with caution
To know that I needed to list all policies and associated statements (for the default policy version)
!/bin/bash
IFS=$'\n'
for line in $(aws iam list-policies|jq '.Policies|.[]|[ .PolicyName, .Arn, .DefaultVersionId ]| @csv' -r|sed 's/","/ /g'|sed 's/"//g'); do
name=$(echo $line|cut -d' ' -f1);
arn=$(echo $line|cut -d' ' -f2);
version=$(echo $line|cut -d' ' -f3);
echo "$name"
aws iam get-policy-version --policy-arn $arn --version-id $version
donePut this in a script, redirect output to a file and go get grep!
-
https:///?bERNcg
-
Note sur les Policy IAM
December 12, 2016 at 12:59:10 PM GMT+1 - permalink -Une policy IAM est constituée de statement, ce sont des règles (des blocs de codes)
{
"Statement":[{
"Effect":"effect",
"Action":"action",
"Resource":"arn",
"Condition":{
"condition":{
"key":"value"
}
}
}
]
}Chaque règle dans sa forme la plus simple est composée de 3 choses :
Effect : allow ou deny
Action : quelle action concerne la règle
Resource : la resource concernée
Chaque service Amazon (EC2, ECR, etc...) expose une liste d'action, on peut trouver cette liste dans la doc (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Action)
Et chaque resource peut être identifiée par un arn (une manière simple de retrouver un ARN est d'afficher la resources dans l'interface web AWS, il y a souvent l'arn)
-
https:///?3KOHAQ
