Skip to main content

Amazon S3 Bucket Policies

Hands-On Lab


Photo of

Training Architect





Amazon S3 Bucket policies provide us with greater flexibility for security of our S3 data. From creating intranet style buckets that restrict access to specific IP ranges, forcing MFA (Multi-Factor Authentication) for deleting options, to restricting access for CloudFront distributions and a lot more - we'll cover use cases and configure a bucket policy in the provided AWS environment. In this lab, we are going to configure bucket policies to allow access for only specific CIDR block ranges and/or IP addresses. We will then be using the provided AWS environment to create an anonymous user access to our S3 objects.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Amazon S3 Bucket Policies

In this lab, we will be learning how to configure Amazon S3 bucket policies. Begin by clicking on the 'Open Console' button and log in with the provided Cloud_User 'User name' and 'Credentials'.

Intranet Bucket Policy

First, we are going to configure a bucket policy that allows us to communicate with objects or download object from an Amazon S3 bucket. Click on the provided GitHub URL in the description of this Learning Activity. Select the 'intranet-bucket-policy-example', copy the bucket policy to your clipboard and navigate back to the AWS management console. In your browser, navigate to the S3 management console. You should have 2 buckets in the console with unique names: use the first bucket for the first video and the second bucket for the second video.

Next, we'll demonstrate that you don't have permission to download files from the bucket. Select the first bucket, click on index.html and click on the public URL. You should get an 'Access denied' message. Navigate back to the bucket page, again select the first bucket, click on the 'Permissions' tab and then click on Bucket policy. Paste in the 'bucket policy' code you copied from the GitHub page.

Modify the Bucket Policy

Begin by modifying the "Sid" to IPALLOW-1. Next, we alter the "Resource" by copying the ARN of the bucket, which is located on top of the page, and pasting it before "/". We will also modify the "IpAddress" under "Conditions". To allow access to your IP address, Google "What's my IP", copy your IP address from the results, and browse back to the AWS console. Paste your IP address followed by "/32" into the aws::SourceIp value. Once you're finished, click Save*.

Testing Access to Bucket

Go back to your bucket overview, click on index.html, click the external link, and you should see the file download.

Using a Public IP Address to Allow Access

The IP address and credentials to connect to EC2 can be found on your Cloud Assessment dashboard. You can also right-click on EC2 and select open in a new tab. Click on the selected instance from the list on the left-hand side and copy the "Ipv4 Public Ip" value to your clipboard.

Next, go back to the S3 management console, click on bucket, select the first bucket and then click 'permissions'. Click on "bucket policy' and change your on premise IP to the instance IP address by pasting the "Ipv4 Public Ip" followed by /32 in to "aws::SourceIp" and hit save.

Connect to Instance

From here, we are going to SSH into the instance:

  • Open a terminal window
  • Run ssh cloud_user@xx.xx.xx.xx, replacing the sample IP address with the public IP address, which can be found on your Cloud Assessments dashboard, and enter yes
  • Enter the provided password for the instance
  • Go back to S3 bucket page, click on index.html, and copy the public link
  • Switch back to the terminal windows and type curl followed by the public URL. You should be able to view the content of the HTML file due to the permissions we set in the bucket policy

Demonstrating Access without Public IP Address

Let's head back to the 'bucket policy' in the AWS console, remove the 'IP address" from the bucket policy and hit save

Return to the terminal window and repeat the same commands above:

  • Run ssh cloud_user@xx.xx.xx.xx, replacing the sample IP address with the public IP address, which can be found on your Cloud Assessments dashboard
  • Enter the password for the instance
  • Type curl command and paste in the public URL. This time, you'll get an 'access denied' message!

Creating an Anonymous Bucket Policy

There is a GitHub URL as part of this activity, let's go ahead and open it up. Click on the 'anonymous' link and copy the code to your clipboard. Head back over to the AWS management console.

Note: Make sure you are using the Cloud Assessments provided AWS management console.

Open up the AWS S3 management console and select the second bucket.

To demonstrate that we don't have access to view the objects in the buckets, select 'index.html' and click on the public URL under Overview in the pop-up window. You should get an 'access denied' message.

Allowing Anonymous Access

Go to Permissions, click on Bucket Policies and paste in the code that you copied from the GitHub link. Modify the Resources line of the code by copying and pasting the bucket ARN into the Resources area before the "/". Click Save*.

You will get a warning notification that your AWS bucket is public.

We can now navigate back to our 'Overview' inside the bucket, select 'index.html', and click on the public URL and you should see '.html' file downloading!

Another thing to do is to copy the public URL, switch to the terminal windows, type the curl command and paste the URL and hit enter.

We can see that it's downloading, meaning, everybody can have access to download the content of the bucket.

Congratulations! You've completed this Learning Activity! Once both boxes have been checked off on your dashboard, you can click "Grade Activity" and move on.