S3 bucket can be secured in two ways:
ACL (Access Control List)
ACL is used to manage the access of resources to buckets and objects. An object of each bucket is associated with ACL. It defines which AWS accounts have granted access and the type of access. When a user sends the request for a resource, then its corresponding ACL will be checked to verify whether the user has granted access to the resource or not.
When you create a bucket, then Amazon S3 creates a default ACL which provides a full control over the AWS resources.
Bucket Policies
Bucket policies are only applied to S3 bucket. Bucket policies define what actions are allowed or denied. Bucket policies are attached to the bucket not to an S3 object but the permissions define in the bucket policy are applied to all the objects in S3 bucket.
The following are the main elements of Bucket policy:
- Sid
- A Sid determines what the policy will do. For example, if an action that needs to be performed is adding a new user to an Access Control List (ACL), then the Sid would be AddCannedAcl. If the policy is defined to evaluate IP addresses, then the Sid would be IPAllow.
Effect: An effect defines an action after applying the policy. The action could be either to allow an action or to deny an action.
Principal - A Principal is a string that determines to whom the policy is applied. If we set the principal string as ‘*’, then the policy is applied to everyone, but it is also possible that you can specify individual AWS account.
Action - An Action is what happens when the policy is applied. For example, s3:Getobject is an action that allows to read object data.
Resource - The Resource is a S3 bucket to which the statement is applied. You cannot enter a simply bucket name, you need to specify the bucket name in a specific format. For example, the bucket name is javatpoint-bucket, then the resource would be written as “arn:aws:s3″”javatpoint-bucket/*”.