A common requirement is to have a backup service or script that uploads objects to S3 for storage. Since its good practice to scope user permissions as narrowly as possible, this leads to creating separate “api users” in Amazon for each service. Each user is only given permission for the buckets it needs to access. Unfortunately, the Resource URIs for AWS are non-intuitive and you have to remember to whitelist both the bucket and its contents. If you’re kind, you’ll also allow listing all buckets to make navigating through the UI or other tools possible.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets" ], "Resource": [ "arn:aws:s3:::*" ] }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": [ "arn:aws:s3:::some-bucket-name", "arn:aws:s3:::some-bucket-name/*" ] } ] } |
#protip #selfreference
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.