ECS supports the setting of S3 bucket access policies. Unlike ACLs, which either permit all actions or none, access policies provides specific users, or all users, conditional and granular permissions for specific actions. Policy conditions can be used to assign permissions for a range of objects that match the condition and can be used to automatically assign permissions to newly uploaded objects.
How access to resources is managed when using the S3 protocol is described in
https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html and you can use the information as the basis for understanding and using S3 bucket policies in ECS. This section provides basic information about the use of bucket policies, and to identify the differences when using bucket policies with ECS.
The following provides an example of an ECS bucket policy:
Each policy is a JavaScript Object Notation (JSON) document that includes a version, an identifier, and one or more statements.
Version
The Version field specifies the policy language version and can be either
2012-10-17 or
2008-10-17. If the version is not specified,
2008-10-17 is automatically inserted.
It is good practice to set the policy language for a new policy to the latest version,
2012-10-17.
Id
The Id field is optional.
Each statement includes the following elements:
SID
A statement ID is a string that describes what the statement does.
Resources
The bucket or object that is the subject of the statement. The resource can be associated with a Resource or NotResource statement.
The resource name is the bucket and key name and is specified differently depending on whether you are using virtual host style addressing or path style addressing, as shown:
In either case, the resource name is:
bucketname/objectname.
You can use the (*) and (?) wildcard characters, where asterisk (*) represents any combination of zero or more characters and a question mark (?) represents any single character. For example, you can represent all objects in bucket that is called
bucket name, using:
bucketname/*
Actions
The set of operations that you want to assign permissions to (enable or deny). The supported operations are listed in
Supported bucket policy operations.
The operation can be associated with an
Action or
NotAction statement.
Effect
Can be set to
Allow or Deny to determine whether you want to enable or deny the specified actions.
Principal
The ECS object user who is enabled or denied the specified actions.
To grant permissions to everyone, as anonymous access, you can set the principal value to a wildcard, "*", as shown:
"Principal":"*"
Conditions
The condition under which the policy is in effect. The condition expression is used to match a condition that is provided in the policy with a condition that is provided in the request.
The following condition operators are not supported: Binary, ARN, IfExists, Check Key Exists. The supported condition keys are listed in
Supported bucket policy conditions.
NOTE: ECS bucket policies do not support federated users, nor do they support Amazon IAM users and roles.