Amazon Web Services
All the things I always forget about AWS.

root vs IAM users

The root user can create & posess access keys, but using them is discouraged because you can not configure access permissions for these keys.

aws cli

useful for things.

  • install pip
  • go pip install --upgrade --user awscli
  • add ~/.local/bin to your path. Mine's in ~/.zshrc and looks like export PATH=/home/levi/.npm-packages/bin:/home/levi/.local/bin:$PATH, (go source ~/.zshrc after updating).
  • aws --version to make sure you're good to go
  • aws configure will ask you for your credentials.
  • find your default region on the region list (scroll down).
  • I use JSON as the default output


users & permissions

Looking at a bucket's permissions you get the Access Control List, Bucket Policy, and CORS configuration.

Access Control List

The Access Control List looks nice and easy, but it's probably not what you want. I may well be mistaken but I think all you can do here is specify owners and access to permissions. You have to specify users here by Canonical User ID, and I'm pretty sure only root users can have those. If you want to find yours it's not in IAM, get to it through the security credentials dropdown under your username at the top.

Bucket Policy

For better or worse, this is where you need to spend most of your time. I do find it easier to use the policy generator.

Principal: This is the user(s) you want a statement to apply to. You can just paste in your ARN, you don't need "ARN":"my-arn-here" as it appears in an actual JSON policy. Use an asterisk * for 'everyone'.

Amazon Resource Name: you need your bucket ARN. The only way I know to get this is from the Amazon S3 front page (where all your buckets are listed) click on a bucket row (not on the bucket name) and the info panel slides in from the right. Underneath the bucket name at the top there's a 'copy ARN' button.

The policy I'm using for static sites at the moment is below. There's only two statements, one to allow all actions to my user, and another to allow getObject to everyone.

  "Id": "Policy1496642448617",
  "Version": "2012-10-17",
  "Statement": [
      "Sid": "Stmt1496639999254",
      "Action": [
      "Effect": "Allow",
      "Resource": "*",
      "Principal": "*"
      "Sid": "Stmt1496640085815",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "*",
      "Principal": {
        "AWS": [
  • I think you can edit the "Id" and "Sid" values to be something more meaningful, but I'm not bothered.