S3 is a cloud object storage service in AWS that allows users to save and upload files on a cloud storage. S3 bucket comprises of objects and can accomodate unlimited number of objects.
There can be 2 types of S3 bucket:-
- Public - There are no restrictions and they can be accessed by anyone on internet
- Private - Only permitted users can access the bucket. Access to private bucket are governed by "Bucket Policy" of bucket.
You can access Public S3 bucket by visiting
GetObject: This permission indicates that user can download a predefined object from S3 bucket.
PutObject: This permission indicates that user can upload an object to S3 bucket.
Access control in S3 can be done either via Bucket Policy or legacy ACL (Access Control List). Bucket policy takes priority over ACL for any bucket.
Bucket policy for a S3 bucket are applied at bucket level i.e they are applied at the whole bucket. These are recommended by AWS for access control over S3 bucket.
Example bucket policy:-
The following bucket policy has following properties:-
- Effect :
Allowhere indicates that bucket policy indicates that, if access is granted, the user will be
ALLOWEDto perform the Action associated with the policy i.e GetObject. If Effect was
Denythen it would mean that if access is granted, the user will be
DENIEDto perform the Action associated with the policy i.e GetObject.
- Principal : Principal here indicates the source ARN associated with the policy. Here
arn:aws:iam::584358494719:user/BucketReadindicates that user BucketRead is the one associated with this policy who is being given access.
- Action here indicates what exactly is the permission given to the Principal on the Resource. Here
s3:GetObjectpermission indicates that BucketRead user is allowed to perform GetObject operation on the bucket.
- Resource here indicates the object in S3 bucket on which policy is applied. In this case
arn:aws:s3:::securitylabs-article/flag.txtindicates that user BucketRead will be given GetObject on note.txt and flag.txt files in bucket called
Access Control List are the legacy way of having access control on bucket. ACL provide control over both bucket and its objects.
The above is the ACL on the
① - This indicates Object ACL. Since both List and Write are selected then this indicates that Bucket owner can Read and Write the objects in the bucket. ② - This indicates bucket ACL which means that bucket owner can edit ACL of the bucket and read the ACL of the bucket as shown in the screenshot above. ③ - This indicates the List permission on all objects in the bucket. If this was enabled, then it would mean that Everyone i.e internet can list all objects in the bucket without authenticating. ④ - This indicates the Read permission for bucket ACL. If enabled, then it would mean that Everyone i.e internet can view the ACL of the bucket without authenticating.
Versioning in S3 bucket allows users to keep multiple version of same object. In layman terms, this means you can upload multiple objects with same name without overwriting the original object. AWS would store all the uploaded objects as different versions of the original object.
The above screenshot indicates 2 versions of same
sShYGYWi.sfoOVA1SfQoiy6HEXSf2RXwis the recently uploaded object which became the default version while VersionID
f_9JJNeIsyYBjHTbU0eoPNZYd.CE8Y.Kis the original uploaded object. AWS has saved both the version as a way for us to download the original object as well as the recent object. This can be a sometimes interesting since we might be able to get something interesting in old versions :)
To query a particular VersionID of object from a publicly accessible bucket, you just need to pass parameter called
versionIdwith the GET request to query the old version object.
If out bucket
securitylabs-articleswas publicly accessible, then one could download the previous old version of note.txt by knowing the versionId beforehand.
Event notification enables users to configure a action if a particular event takes place in the S3 bucket.
For instance, the above screenshot indicates that for any PUT event a Lambda function called
securitylabs-lambdais triggered. This means that if any file is uploaded to S3 bucket, this would cause the lambda to be triggered.
This helps to automate processing, parsing of objects and various other use cases upon their upload in S3 bucket.