How to Create Security Policies for StorReduce

Using AWS Policy Generator to Generate a bucket policy

  1. In the dashboard as root, select the my-bucket-3 row and click on the Security Policy ‘Add’ button. Then click on the link to the AWS Policy Generator. This will open a new tab and go to Amazon’s policy generator site.

  2. Select Policy Type “S3 Bucket Policy”

  3. Cut-and-paste the principal values for the users who should be given access, comma-separated. The values can be copied from the StorReduce dashboard Users view, from the ARN column.

    Important Note: The policy generator does not allow you to specify anonymous access. Entering ‘*’ into the principal field will not work. Instead you will need to hand-edit the generated policy - see the ‘Anonymous/public access’ section below for details.

  4. Select actions you want the user to be able to take, or check ‘All Actions’

  5. Enter the resource ARN or ARNs for the bucket. For actions on a bucket, this should be “arn:aws:s3:::” followed by the bucket name, e.g. “arn:aws:s3:::my-bucket-1”. For actions on objects within a bucket this should be the bucket ARN followed by “/” and then a wildcard pattern for the object names, e.g. “arn:aws:s3:::my-bucket-1/*“. Multiple values can be comma-separated but without spaces in between.

  6. Note that to give access to user to perform all actions for a bucket you can check ‘All Actions’ and then supply the ARN as:

    arn:aws:s3:::my-bucket-1,arn:aws:s3:::my-bucket-1/*

  7. Leave the optional conditions empty.

  8. Click on ‘Add Statement’. Note that you can continue adding access rights by adding more statements.

  9. Click on ‘Generate Policy’ and then copy the resulting policy text to the clipboard. It can then be pasted in when adding a security policy in the StorReduce dashboard.

Example Generated Policy

The following bucket policy allows Alice and John to perform any action on my-bucket-3:

{
  "Id": "Policy1418941226016",
  "Statement": [
    {
      "Sid": "Stmt1418941176756",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::my-bucket-3",
        "arn:aws:s3:::my-bucket-3/*"
      ],
      "Principal": {
        "AWS": [
          "arn:aws:iam::0:user/john",
          "arn:aws:iam::0:user/alice"
        ]
      }
    }
  ]
}

Anonymous/public access

To specify anonymous access, generate the policy you want, but with an arbitrary value in the Principal field. Note that entering ‘*’ in the principal field produces an invalid principal value that will not match any users.

The generated policy will have principal fields that look like the following:

"Principal": {
  "AWS": [
    "bogus-principal-value"
  ]
}

You should replace it with the following:

"Principal": "*"

Warning: As well as allowing access to every user, this will also allow people access via HTTP without authenticating to the server (anonymous access).

Example policy for read-only anonymous access to a bucket

The following policy was generated, then edited to fix the Principal values and to give human-readable names for the Id and Sid fields. It grants read-only anonymous access to my-bucket-4:

{
  "Id": "Public bucket test policy",
  "Statement": [
    {
      "Sid": "Allow everyone to list bucket",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket-4",
      "Principal": "*"
    },
    {
      "Sid": "Allow everyone to get objects from bucket",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my-bucket-4/*",
      "Principal": "*"
    }
  ]
}