ECS 3.6.2 Data Access Guide

ECS supports the setting of S3 bucket access policies. Unlike ACLs, which either permit all actions or none, access policies provides specific users, or all users, conditional and granular permissions for specific actions. Policy conditions can be used to assign permissions for a range of objects that match the condition and can be used to automatically assign permissions to newly uploaded objects.

How access to resources is managed when using the S3 protocol is described in https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-access-control.html and you can use the information as the basis for understanding and using S3 bucket policies in ECS. This section provides basic information about the use of bucket policies, and to identify the differences when using bucket policies with ECS.

The following provides an example of an ECS bucket policy:

{
     "Version": "2012-10-17",
     "Id": "S3PolicyIdNew2",
     "Statement":[
             {
             "Sid":"Granting PutObject permission to user2 ",
                "Effect":"Allow",
                "Principal": "user_n2",
                "Action":["s3:PutObject"],
                "Resource":["PolicyBuck1/*"],
                "Condition": {
                        "StringEquals": {"s3:x-amz-server-side-encryption": [ "AES256"]}
                        }
                }
                ]
}

Each policy is a JavaScript Object Notation (JSON) document that includes a version, an identifier, and one or more statements.

Version

The Version field specifies the policy language version and can be either 2012-10-17 or 2008-10-17. If the version is not specified, 2008-10-17 is automatically inserted.

It is good practice to set the policy language for a new policy to the latest version, 2012-10-17.

Id

The Id field is optional.

Each statement includes the following elements:

SID

A statement ID is a string that describes what the statement does.

Resources

The bucket or object that is the subject of the statement. The resource can be associated with a Resource or NotResource statement.

The resource name is the bucket and key name and is specified differently depending on whether you are using virtual host style addressing or path style addressing, as shown:

Host Style: http://bucketname.ns1.emc.com/objectname
Path Style: http://ns1.emc.com/bucketname/objectname

In either case, the resource name is: bucketname/objectname.

You can use the (*) and (?) wildcard characters, where asterisk (*) represents any combination of zero or more characters and a question mark (?) represents any single character. For example, you can represent all objects in bucket that is called bucket name, using:

bucketname/*

Actions

The set of operations that you want to assign permissions to (enable or deny). The supported operations are listed in Supported bucket policy operations.

The operation can be associated with an Action or NotAction statement.

Effect

Can be set to Allow or Deny to determine whether you want to enable or deny the specified actions.

Principal

The ECS object user who is enabled or denied the specified actions.

To grant permissions to everyone, as anonymous access, you can set the principal value to a wildcard, "*", as shown:

"Principal":"*"

Conditions

The condition under which the policy is in effect. The condition expression is used to match a condition that is provided in the policy with a condition that is provided in the request.

The following condition operators are not supported: Binary, ARN, IfExists, Check Key Exists. The supported condition keys are listed in Supported bucket policy conditions.

More information about the elements that you can use in a policy are described in the Amazon S3 documentation, https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html.