Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 13

34. IAM & S3

Hi everyone and welcome back to the Knowledge Put in video series. And in today’s lecture we’ll understand the role that I am plays in granting access to the S Three base buckets. Now again, let’s take a very simple example where we have three IAM users and use Sarah and Mike, and there are two S Three buckets. One is design and one is finance. So basically, Andrew belongs to the finance team, sarah belongs to the HR team and the Mike belongs to the design team. So as the logic says, Mike from the design team should have full access for the design S Three bucket and Andrew from the finance team should have full access on the finance bucket. However, if you see Sarah is from HR team and there are no buckets from HR, so Sarah should have no access. So, very simple scenario and let’s go ahead and implement this in the S Three via Im.

So I’ll minimize this. So just to show you, I have created three users, andrew, Mike and Sarah. Now, what we’ll do is we also have two buckets. KP Labs, Hyphen Design and KP Labs, Hyphen Finance. So Andrew belongs to the finance team, so he should have full access on the KP Labs Hyphen Finance bucket. So let’s go ahead and see on how we can do that. So I also have an Opera browser where I am logged in as Andrew. So just to make sure that things are working, let me just go to S Three and here you see you don’t have permission to view the S Three console. Okay? So let’s go ahead and implement IAM based policy for Android. So what I’ll do, I’ll add the inline policy. So I use the Policy Generator for Amazon. S three. Let me allow all the actions and we have to specify the ARN.

So if you don’t know how to structure or you don’t know the format, just click here. I’ll just click here and a tab will be open. And if you go bit down, this is the ARN format. I’ll just copy this and here I need to include a bucket which is KP Labs Hyphen Finance. I’ll add a statement and let me click on next let’s say Kplabs Finance full access. So if you just validate the policy, you see S Three colon star. Basically this is all the actions which S Three has for this particular resource which is KP Labs Hyphen Finance. Let me just validate the policy and click on Apply. So now let’s go back to the Android and let’s see if Andrew is able to see the buckets. So I’ll just click on Refresh and boom. Android is not able to see the SDB buckets. Now, because this is generally a lot of people make mistakes who are learning IAM.

The problem with this kind of a policy that you will see over here is that it grants full access for this particular bucket. But what we are trying here to do is we are trying to list the buckets which are there in S Three. So that permission has to be explicitly granted to list the buckets in S Three. So what I’ll do here is let’s create one more inline policy. I’ll use the policy generator over here, S Three. And I’ll click on one specific option which is list all my buckets. And for AI and I’ll just allow start let me add this particular statement. So now what will happen is the user will be able to list all the buckets and I’ll add one more condition. Let me add one more condition. And for this, I need to provide KP Labs. Hyphen Finance. Okay, oopsie, I just made a mistake right here. Let me just try it out once again.

Policy generator s three. Let me go back down. I’ll say list all my buckets and I’ll put an asterisk. I’ll add a statement, okay? And in the second condition, what I’ll do is I’ll allow Sreestar for the ARN KP labs. Hyphen Finance. I’ll add the statement last time I forgot to click on add the statement. Let me go to the next and let me say Kplabs Finance. So now, what difference we have here is that now in the policy we are adding list all my buckets for the resource star. So user will be able to see all the buckets which are there in the S Three account. And then for this particular bucket which is KP Labs Hyphen Finance, user will have full permission. So let me click on validate the policy. The policy is valid and let me click on apply. Now if I click Gear I’ll refresh and now Andrew should be able to see all the available buckets.

Okay, seems proper. Now, as we have mentioned, Kplab’s Hyphen Finance. Let me go inside and okay, it is showing me that the bucket is empty. If I try to open Kplabs Hyphen design, it is saying you don’t have permission. So let me just show you. Is everything proper over here? So this is something that we have written, right? Do you think if everything is proper, will the Andrew have full permission on this particular bucket? Let’s try it out. So just remember your answer whether it is yes or no. So ideally here you see it has a three star on this particular bucket. So if the people who say yes and for the people who say no, let’s find it out. So let me do one thing. Let me upload, let me upload try to upload a Snippet or JPEG file. So this is the image file that I’m trying to upload. And again, you see permission denial.

So what went wrong over here? You must be wondering one thing that went wrong over here is the first whenever you would configure IAM with SC the first time, it will be a bit tricky because you must be doing all of these and still it is not working. Well, the answer is very simple. You need to add this line again, let me just copy it here and you need to put slash Star. So now what different that we did was here we have full permission on the bucket and the second line says that we have full permission inside that bucket. Now, why this did not upload was we went inside this bucket and we tried to upload something over here for which we did not have permission for.

So now, since I have given all the permission s three star for KP Labs Hyphen Finance and KP Labs Hyphen Finance slash star. Which means inside this bucket idly it will work. So let me save this up and let me try to upload once again, let me try to upload this JPEG file once again. And now you see it is successful. And this is one of the reasons why I actually thought to create a lecture specific for IAM based policies on S Three. Now, in exam there might be some kind of a tricky policies that might come where they will give you a policy and they’ll say on why this user is still not able to view the bucket. So now you know these things and I really hope that you’ll be able to solve the question related to the IAM based policies for the S Three bucket.

So, going back to the presentation, okay, let’s go to the next slide. So, looking into the limitation of im, one thing to remember, and very important thing to remember is that IAM can give permission based on user roles and group and it cannot work outside users roles and group. So sometimes more granularity is needed. So if we look into the example where let’s say we have a bucket and we want to allow a specific user which is who has the IP 1020, 50, 72, 72, to access a particular bucket. Now, for this kind of a use case you, you cannot do it with IAM. So there is a limitation for I am and the second example here is that let’s say we want to grant read only permission to a particular bucket for everyone in the world.

So again, the second use case you will not be able to implement with IAM and that is one of the reasons why Amazon has provided us with more settings called the S Three bucket policy. And we’ll look at in the next lecture.

35. S3 Bucket Policies

Hey everyone and welcome back. In today’s video we will be discussing about the S Three bucket policies. Now, a genetic one of the limitations when it comes to I am is that it is only used with the principles like the AWS user, the IAM group, the IAM role, as well as within the principle of AWS account. However, when we speak about S Three bucket, s Three bucket is one such entity which needs a lot of amount of granularity and that granularity cannot be achieved with the help of IAM. And this is the reason why we have S Three bucket policies which we can attach directly to the S Three bucket. So let me give you a few examples so that you’ll understand the need of S Three bucket policies. So if you look into the exam study guide so this is the security specialty exam Study guide.

So this is a PDF document and this PDF is actually hosted on top of AWS S Three. In order to verify, you can directly make a kernel request and within the response you would see the server that it is showing is AWS S Three. Now, along with that, you also have this Amazon cost calculator. So this is the application which is again hosted on S Three. So if I do a quick curl on this application as well, you see the server is returning as Amazon S Three. So a lot of organization, they use Amazon S Three for hosting websites, for hosting web applications, even for hosting various audio files, video files and others. So in this kind of a scenario, there are certain restrictions that you would need on top of the S Three bucket depending upon the use cases. So we will be speaking about certain use cases in today’s lecture.

So let’s begin with one of them. Now, for demo, what we’ll do, I’ll create a bucket. I’ll say? KP Labs. Hyphen demo crossover. So this is the bucket that we’ll be creating in the North Virginia region. Let me go ahead and create a bucket. Now within this you will see that there is a bucket created and the access to that bucket is not public. That means whatever files that will be present inside this bucket, no one from the public will be able to directly access those files. So let’s do one thing, let’s go inside the bucket and let’s upload a sample TXT file. I click on demo TXT and I’ll go ahead and upload it. Perfect. So this is the demo TXT file. Now if I just click on it, it will give you the link to open or to download that specific file.

So let me copy the link and within my console I’ll try and do a call on this specific link and as expected, it is showing you access denied. The reason why is because the S Three bucket by default has only private access. Now, if you want to have a scenario where whoever tries to visit your file, he should be able to read it from any part of the world. So one of the easiest way that you can do is you can make this specific file as public and everyone will be able to read it. However, there are even certain scenarios whereyou only want certain IP addresses, should be able to access those files. Apart from those IP address, no one should be able to read that specific file. And all those specific configurations related to IP addresses and all can be configured with the help of bucket policies.

So let’s do one thing, let’s go to the permissions, and there are certain permissions which are associated. So let’s go back to the S Three. And within our bucket, I’ll click on this, I’ll go to Properties. Within the properties, I’ll go to the permission, and within the permission you have a bucket policy. So this is a bucket policy where you can fine tune various access control for this specific bucket. So the first access control that we’ll be looking into is the IP address based conditions. So I have a sample bucket policy for AWS s three. Let’s quickly copy this bucket policy and I’ll paste it over here. Now, what this bucket policy says is the principle is asterisk the action is S Three start, that means all the actions, the resources you have to give the resource name of the SD bucket here.

So I’ll say Kplabs Demon crossover and the IP address would be the IP address which you would like to access this specific SD bucket. So let me do a quick what’s my IP and I’ll find my IP address. And basically what I’ll do, I’ll copy the IP address and I’ll put it over here. So this is a single IP address. You can even specify the range subnet like slash, 20, 416 and various others. So once you do this, just click on Save. I’ll be posting these bucket policies below the video so that you can download it and you can practice it at your end. So now that you have put your bucket policy, now what would happen is whenever you make a request to the S Three bucket, s Three Bucket will verify whether the request is originating from this IP address. And if yes, then it will allow to perform all the actions except that. So currently, if you see this bucket is private.

So even though it is private within the bucket policy, we can specify the various access control specific rules and this will be the priority. So now let’s do one thing. Let’s go inside the bucket. I’ll copy the link and now we’ll try and access this with a curl command. So I’ll do a call and I’ll paste the link. And now you see, I am getting the message. This is a demo lecture from Zee. So this is one such example of a S Three bucket policy. Now, there can be various advanced Bucket policy configurations that you can do. But for the basic understanding, I hope you understood what the Bucket Policy is all about. In the next video, we will be discussing in great detail related to various Bucket Policy specific configurations when we speak of cross account SV bucket access. So this is it. I hope this video has been understood by you and I look forward to seeing you in the next video.

36. Cross Account S3 Bucket Configuration

Everyone and welcome back. In today’s video we will be discussing about the Cross account s three access. Now, Cross account s three access is a pretty common use case that you will find in lot of organizations. So as far as the real world scenario and even for the exam is concerned, it is important for us to understand on how we can achieve the Cross account s three bucket access. Now, in order to understand this, let’s take an example where an organization has two AWS accounts. Now, the account A has all the s three buckets created and the account B has all the EC to instances. Now, the EC two instances from the account B needs to periodically back up all the data to the s three bucket which resides in the account A. Now, the question is how to achieve this use case.

Now, we have already seen that s three bucket by default is private. That means no one outside of the AWS account will be able to access it. Now, the use case here is that a different AWS account altogether should be able to access the s three bucket. Now, this can again be achieved with the help of an s three bucket policies. So let’s go ahead and look into how we can achieve this use case. So, we are in the KP Labs demo crossover bucket and within this I’ll go to the permissions and I’ll click on bucket policy. So this is the bucket policy that we had created earlier. Now, within the bucket policy that we had created, if you’ll notice the principle here is Asterisk, that means everyone and then we are specifying the condition over here. Now, whenever it comes to cross account s three bucket within the principle, you need to give the ARN of the destination AWS account who would be accessing this specific s three bucket.

So, for our demo purpose, I already have a sample s three bucket policy which is created. I’ll be putting again this below the lecture so that you can try it out yourself. And I’ll paste that sample policy over here. Now, within the principle over here, if you will see I have a principle which is the ARN of the destination account. Assuming that the current account where the s three bucket is residing is account A and account B wants to access this specific s three bucket, then here we have to specify the principle associated with the account B. So within my account B, I’ll just copy the account number and let me quickly verify the account number. All right, so this is the new account number that I have pasted now. So this is the principal, the effect is allowed. The principal is this account number.

The action is s three star. That means all the actions will be allowed and the resource would be Kplab’s demo crossover. So this is the simple s three bucket policy. Now, do remember that we do not really need to remember to write the S three bucket policy from scratch. There is a bucket, you have an Im policy editor. You will have a lot of bucket policy examples that you will find in the documentation. The only thing that you’ll need is to be able to do a Google search in the documentation to find the right examples as well as able to read what this S three bucket policy really means. So, once you have done this, I can go ahead and click on save. Perfect. So now I have saved it. So what we’ll do now is within the account B, let me go to the IAM and within the IAM I have created im user call as account B and this im user has an administrator access and it has an access and secret key as well.

So, coming back to our CLI, within the CLI, what I have done, let me quickly show you. I have two accounts. So this is the access and secret key associated with the account A and I have access and secret key associated with the account B and we’ll try and see on how exactly we can work around. So the first thing that we do is AWS S three LS. I’ll specify the path of KP Labs demo cross over the profile I’ll be putting is account A and I am able to successfully see the contents of the S three bucket. Now, in a similar way, this thing I’ll put profile as account B and currently it is showing as access denied. Now, the answer to why this error has been occurring is quite interesting and I have seen that in example there are lot of people who lose their marks specific for questions which actually pertains to the use case that we are discussing.

Now, the problem with this bucket policy let me quickly open the problem with this bucket policy is that we are actually giving access to the contents which are within the S three bucket. So if I quickly show you, if I do an AWS S three CP, I say demo TXT. So there was a file demo TXT. You see I am able to successfully download a demo TXT file. However, when I try to list this specific bucket, it is showing as an accessory night. So what you need to do is basically you need to create an array. So there will be two ERNs that will be be specifying over here. Let me make this policy much more tuned in. Now I’ll copy this once more and I’ll paste it again. Let’s format it and I’ll remove the asterisk and I’ll close the array. Now, the reason why the error was occurring is because currently in this specific ARN we are actually allowing the access to the contents which are within the S three bucket.

So there is a slash asterisk. So that means within the s three bucket, inside the s three bucket. But for the s three bucket itself, we are not allowing any permission. So if you look into the ARN of this s three bucket, so this is the ARN. So for this ARN we are not giving any permission. We are just giving permission to the contents which are within this specific SD bucket. And this is the reason why we were actually receiving the error. So what we’ll do, we’ll go ahead and click on save and now that the policy is saved, we’ll go back to our console. Let’s run the same command as earlier. And now you are able to successfully see the demo TXT file. Do remember it is very important to remember the difference on why we are actually putting two arns within the resources field of Air.

The chances are that this would actually give you an opportunity in your certification exam when such questions have been asked. So coming back to the topic now, we have already confirmed that the account b has access to the Xray bucket. So what we will do now is we will create a file called as cross TXT and within cross TXT I’ll just say this is a file from account B. I’ll go ahead and I’ll save that file. So now we’ll do a copy. I’ll do AWS s three CP. I specify cross TXT and I’ll copy it to Kplab’s Democracy. The profile that I’ll be putting is through account B. Perfect. So now you see the cross TXT has been uploaded to the SC bucket. So in order to quickly verify, I’ll refresh the page and now you see there are two files. One is demo TXT and second is cross TXT.

So cross TXT has been uploaded through the im users access secret keys of account B. And demo TXT is something that we had uploaded from the console itself in the earlier video. So this is it about cross account s three bucket. I hope this has been understood by you. And there is one challenge with this kind of access. So if I’ll quickly show you, we’ll actually dedicate the entire next lecture to understand this specific challenge. But I would just like to give you a glimpse on what has happened. So if I do AWS s three, let me do AWS s three CP, I’ll say s three KP labs Democracymo TXT. And the profile that we’ll be giving is account A.

Oops, I have to specify the path and it says it has successfully downloaded. Now if I try to download the cross dot TXT, it is showing 40 three permission denied. And even generally from the console. If you will see over here it is showing access denied. Access denied. Even though I am an administrator user, in fact I am logged in as a root account, still I am getting access denied. And many people really wonder like they are actually logging in through root account, still they are not able to access those files. Now the question is why? And this is something that we’ll be discussing in the next video on the precautions that you need to take, specifically when it comes to the Cross account. S three bucket access.