Advanced AWS policy configuration
This guide explains how to configure AWS policies for a destination, data source and storage.
Introduction
Use Amazon Web Services (AWS) policies to provide a set of permissions and links to the AWS resource.
This guide explains what an AWS policy should contain in the following situations:
-
Using S3 as a destination
-
Using S3 as a data source
-
Using S3 as storage
Prerequisites
Before you read this reference, perform all of the following actions:
-
Ensure you can access IAM console.
-
Ensure you can access the AWS Policy Generator.
-
Ensure you know the Bucketname and Pathname of your AWS S3 bucket. For more information on S3 Bucket properties, see the AWS documentation.
Using S3 as a destination
To use an S3 Bucket as
-
Action
-
To use an S3 Bucket as
-
-
s3:DeleteObject -
s3:GetObject -
s3:PutObject -
s3:ListBucket- Include this action in a separate statement of the AWS policy that also contains a condition. See the example AWS policy below.
-
-
Resource
-
Provide the pathway to the S3 Bucket in the following format:
arn:aws:s3:::BUCKETNAME/PATHNAME/*For the AWS Policy statement with the action
s3:ListBucket, include the following resource element:arn:aws:s3:::BUCKETNAMEFor more information on the resource element of the AWS policy, see the AWS documentation.
-
Condition
-
Configure the condition element to control when the policy takes effect. Include the condition element in the AWS policy statement that includes the action
s3:ListBucket. See the example AWS policy below.Use the condition operator
StringLikewith the condition keys3:prefixto make sure the AWS policy only works for a certain resource pathname. An example of the condition element is as follows: "Condition": { "StringLike": { "s3:prefix": "PATHNAME*" } }-
For more information on the condition element of the AWS policy, see the AWS documentation.
Example of an AWS policy when using S3 as a destination
Below is an example of an AWS policy to use an S3 bucket as a destination.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME/PATHNAME/*"
],
"Effect": "Allow",
"Sid": "Stmt1478773756000"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME"
],
"Effect": "Allow",
"Sid": "Stmt1478773807000",
"Condition": {
"StringLike": {
"s3:prefix": "PATHNAME*"
}
}
}
]
}Using S3 as a data source
To use an S3 Bucket as
-
Action
-
To use an S3 Bucket as
-
-
s3:GetObject -
s3:ListBucket- Include this action in a separate statement of the AWS policy that also contains a condition. See the example AWS policy below.
-
-
Resource
-
Provide the pathway to the S3 Bucket in the following format:
arn:aws:s3:::BUCKETNAME/PATHNAME/*For the AWS Policy statement with the action
s3:ListBucket, include the following resource element:arn:aws:s3:::BUCKETNAMEFor more information on the resource element of the AWS policy, see the AWS documentation.
-
Condition
-
Configure the condition element to control when the policy takes effect. Include the condition element in the AWS policy statement that includes the action
s3:ListBucket. See the example AWS policy below.Use the condition operator
StringLikewith the condition keys3:prefixto make sure the AWS policy only works for a certain resource pathname. An example of the condition element is as follows: "Condition": { "StringLike": { "s3:prefix": "PATHNAME*" } }-
For more information on the condition element of the AWS policy, see the AWS documentation.
Example of an AWS policy when using S3 as a destination
Below is an example of an AWS policy to use an S3 bucket as a destination.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
],
"Resource": [
"arn:aws:s3:::BUCKETNAME/PATHNAME/*"
],
"Effect": "Allow",
"Sid": "Stmt1478773756000"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME"
],
"Effect": "Allow",
"Sid": "Stmt1478773807000",
"Condition": {
"StringLike": {
"s3:prefix": "PATHNAME*"
}
}
}
]
}Using S3 as storage
To use an S3 Bucket as storage, ensure the AWS Policy contains the following statements:
-
Action
-
To use an S3 Bucket as storage, you must include the following actions in the actions element of the AWS policy:
-
-
s3:DeleteObject -
s3:GetObject -
s3:PutObject -
s3:ListBucket- Include this action in a separate statement of the AWS policy that also contains a condition. See the example AWS policy below.
-
-
Resource
-
Provide the pathway to the S3 Bucket in the following format:
arn:aws:s3:::BUCKETNAME/PATHNAME/*For the AWS Policy statement with the action
s3:ListBucket, include the following resource element:arn:aws:s3:::BUCKETNAMEFor more information on the resource element of the AWS policy, see the AWS documentation.
Example of an AWS policy when using S3 as a destination
Below is an example of an AWS policy to use an S3 bucket as a destination.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:DeleteObject",
"s3:GetObject",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME/PATHNAME/*"
],
"Effect": "Allow",
"Sid": "Stmt1478773756000"
},
{
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::BUCKETNAME"
],
"Effect": "Allow",
"Sid": "Stmt1478773807000",
}
]
}Applying an AWS policy
An AWS policy is attached to an IAM user in your AWS account. For more information on how to attach and test a policy, see the AWS documentation.