AWS S3 Security: IAM Policies for Access Control - Tutorial & Deep Dive | AWS Tutorial Malayalam

Master *AWS S3 Security*! In this deep-dive tutorial, you'll learn exactly how to secure your Amazon S3 buckets using *IAM policies* and best practices for *access control*. This is essential for anyone managing *cloud storage security* on *AWS*. We'll break down why *S3 access control* is crucial, how *AWS IAM* manages security, and walk through building and understanding an *IAM policy* step-by-step with a real-world *S3 security example*. No more accidentally public buckets—we're locking this down! 💡 *What You’ll Master (S3 & IAM Focus):* * Why *AWS access control* is critical for *cloud storage* * How *IAM policies* secure your *S3 buckets and objects* * *IAM policy structure breakdown:* Version, Statement, Effect, Action, Resource, Condition (The whole security alphabet soup!) * *Real-time policy example* to control *S3 bucket access* * *Best practices* for keeping your *AWS S3 resources safe* #AWSSecurity #IAMPolicy #S3Security #AWSCloud #AccessControl #AWSTutorial #cloudsecurity Sample S3 IAM policies ---------------------------------------- Give the read access for a particular file names test-results.txt Please note the action is GetObject and effect is allowed ----------------- { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::project-xyz-data-bucket/testing/test-results.txt" } ] } Assign the policy to an IAM user and test the accessibility of file using below CLI command I hope you already understand how to use CLI commands aws s3 cp s3://project-xyz-data-bucket/testing/test-results.txt test-result-download.txt Ensure you can access only the specified file, all other files are denied ------------------------------ aws s3 cp s3://project-xyz-data-bucket/testing/test-assignment.txt . we only given read permission, so ensure write permission is denied ------------------------- aws s3 cp some-adhoc-file.txt s3://project-xyz-data-bucket/some-adhoc-file.txt Give permission for one more files, we can specify multiple files using the array in JSON. ----------------------------------- { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": [ "arn:aws:s3:::project-xyz-data-bucket/testing/test-results.txt", "arn:aws:s3:::project-xyz-data-bucket/testing/test-results-sweep-2.txt" ] } Test, aws s3 cp s3://project-xyz-data-bucket/testing/test-results-sweep-2.txt . we can use wild card to give permission for all files in prefix, you have to be cautious to do so, ----------------------------------- { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::project-xyz-data-bucket/testing/*" } aws s3 cp s3://project-x-data-bucket/testing/test-results-sweep-2.txt . This is also possible, if you need the permission for files like Reference1.txt, reference2.txt, etc you can use reference-*.txt, If possible better use object level wild card only ---------------------------------------- { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": ["arn:aws:s3:::project-xyz-data-bucket/testing/reference-*.txt", "arn:aws:s3:::project-xyz-data-bucket/testing/test-results.txt"] } Test, it works, aws s3 cp s3://project-x-data-bucket/testing/reference-1.txt . aws s3 cp s3://project-x-data-bucket/testing/reference-2.txt . denied aws s3 cp s3://project-x-data-bucket/testing/test-assignment.txt . Deny particular file, multiple statement possible. Deny has more priority than allow, if allow and deny is present for same file, deny has more priority. --------------------------------------------------- { "Effect": "Allow", "Action": ["s3:GetObject"], "Resource": ["arn:aws:s3:::project-xyz-data-bucket/testing/reference-*.txt", "arn:aws:s3:::project-xyz-data-bucket/testing/test-results.txt"] }, { "Effect": "Deny", "Action": ["s3:GetObject"], "Resource": "arn:aws:s3:::project-xyz-data-bucket/testing/reference-test-assignment.txt" } Write permission ------------------- { "Effect": "Allow", "Action": [ "s3:PutObject" ], "Resource": "arn:aws:s3:::project-xyz-data-bucket/testing/project-x-test-results.txt" } List the objects in the bucket, please use ListBucket action, all above is Object level actions, but this is bucket level action. --------------------------------- Denied aws s3 ls s3://project-xyz-data-bucket Lets add permission { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": "arn:aws:s3:::project-xyz-data-bucket" } retry, now works aws s3 ls s3://project-xyz-data-bucket list all the buckets { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" } Create Bucket { "Effect": "Allow", "Action": "s3:CreateBucket", "Resource": "*" } aws s3api create-bucket --bucket project-xyz-nidhi-data-bucket