Amazon Web Services

Published June 2016

root vs IAM users

The root user can create & posess access keys, but using them is discouraged because you can not configure access permissions for these keys.

aws cli

useful for things.

S3

users & permissions

Looking at a bucket's permissions you get the Access Control List, Bucket Policy, and CORS configuration.

Access Control List

The Access Control List looks nice and easy, but it's probably not what you want. I may well be mistaken but I think all you can do here is specify owners and access to permissions. You have to specify users here by Canonical User ID, and I'm pretty sure only root users can have those. If you want to find yours it's not in IAM, get to it through the security credentials dropdown under your username at the top.

Bucket Policy

For better or worse, this is where you need to spend most of your time. I do find it easier to use the policy generator.

Principal: This is the user(s) you want a statement to apply to. You can just paste in your ARN, you don't need "ARN":"my-arn-here" as it appears in an actual JSON policy. Use an asterisk * for 'everyone'.

Amazon Resource Name: you need your bucket ARN. The only way I know to get this is from the Amazon S3 front page (where all your buckets are listed) click on a bucket row (not on the bucket name) and the info panel slides in from the right. Underneath the bucket name at the top there's a 'copy ARN' button.

The policy I'm using for static sites at the moment is below. There's only two statements, one to allow all actions to my user, and another to allow getObject to everyone.

{
  "Id": "Policy1496642448617",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1496639999254",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::leviwheatcroft.com/*",
      "Principal": "*"
    },
    {
      "Sid": "Stmt1496640085815",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::leviwheatcroft.com/*",
      "Principal": {
        "AWS": [
          "arn:aws:iam::032661277798:user/leviwheatcroft"
        ]
      }
    }
  ]
}