cloud engineer
Give someone upload access to a S3 bucket. Here’s the policy.
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListAllMyBuckets" ], "Resource":"arn:aws:s3:::*" }, { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::your-bucket-name" }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:PutObjectAcl", "s3:GetObject", "s3:GetObjectAcl", "s3:DeleteObject" ], "Resource":"arn:aws:s3:::your-bucket-name/*" } ] } |
How to restore an object from Amazon S3 Glacier via the AWS CLI.
aws s3api restore-object \ --bucket awsexamplebucket \ --key dir1/example.obj \ --restore-request '{"Days":25,"GlacierJobParameters":{"Tier":"Standard"}}' |
Here’s the policy to restrict access to S3 bucket to certain IP addresses.
{ "Version": "2012-10-17", "Id": "S3PolicyIPRestrict", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:*", "Resource": "arn:aws:s3:::bucket/*", "Condition" : { "IpAddress" : { "aws:SourceIp": "10.10.10.0/24" }, "NotIpAddress" : { "aws:SourceIp": "10.10.10.100/32" } } } ] } |
Allow anyone in the 10.10.10.0/24 network except for 10.10.10.100/32.
You can setup AWS Glacier via S3 bucket replication. Create a S3 bucket and slap this bucket policy.
{ "Version": "2012-10-17", "Id": "S3PolicyId1", "Statement": [ { "Sid": "IPAllow", "Effect": "Allow", "Principal": "*", "Action": "s3:*", "Resource": "arn:aws:s3:::your-bucket-storage-name/*", "Condition": { "IpAddress": { "aws:SourceIp": "10.0.0.0/8" } } }, { "Sid": "DenyIncorrectEncryptionHeader", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::your-bucket-storage-name/*", "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "AES256" } } }, { "Sid": "DenyUnEncryptedObjectUploads", "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::your-bucket-storage-name/*", "Condition": { "Null": { "s3:x-amz-server-side-encryption": "true" } } } ] } |
Add this policy to your IAM user or role.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::cah-callcopy-storage/*" }, { "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": "arn:aws:s3:::*" } ] } |
AWS just introduced Backup, a new managed service for backing up AWS resources. You can now create backup policies of EC2, RDS, DynamoDB, and EFS systems. The default backup uses S3 buckets, but storage can be moved to Glacier or it can be expired. The backup service is initially available in Virginia, Ohio, Oregon and Ireland.
