Prisma Cloud and Access Controls in Amazon S3

Learn about Prisma Cloud and Access Controls in Amazon S3. This article details how establish ACLs, AWS S3 bucket policies, and user-based policies. Also find helpful information for Prisma Cloud and how to find more resources on LIVEcommunity. Got questions? Get answers on LIVEcommunity!

Prisma Cloud and Access Controls in Amazon S3

As technology advances, things can get more complicated. And that is nothing new when it comes to moving into the cloud and integrating with Prisma. Things can get complicated quickly when working with Access Controls and Amazon S3. So I wanted to take a second and help out with some AWS security tips. 

I will talk a little about access controls provided by AWS and correctly defining access to your S3 buckets and the objects it stores.  The following areas will be discussed: S3 ACLs, S3 bucket policies, and user-based policies.

Amazon S3 ACLs

Access control lists help control access to S3 buckets and objects. You can see an example of this in the AWS web interface below: 

This bucket will have public access. Everyone will have access to one or all of the following: list objects, write objects, read and write permissions.

Even though Amazon now offers AWS Identity and Access Management (IAM) to control access to a bucket, ACLs can still be useful if you need to control permissions on individual objects within a bucket. However, there are newer and cleaner methods to control this access, which I will talk about in the next sections.

AWS S3 Bucket Policies

An easy way to grant cross-account access without having to create roles using the “Principal” IAM element is to use S3 bucket policies. Here is an example of a bucket policy:

Example of an AWS S3 Bucket Policy

Please be aware that if you do not define the Principal IAM element properly, then you can inadvertently open up your bucket to the public.

User-Based Policy

Another way to control user-based access inside AWS is to use a user-based policy. When configuring a user-based policy, it is recommended to take a “least privilege” approach to limit the access to only what is needed. Here is an example:

An Example of AWS S3 User-Based Policy

Wrapping It All Up

You know about the ways to control the access: ACLs, buckets, and user-based policies, but how do those all fit together?

Per our recommendation of “least privilege,” access will only be granted if both a no explicit deny and explicit allow exists. Put in simpler terms, if nothing is allowed, then nothing is granted access. Also, an explicit deny will always overrule an explicit allow.

As with any security policy, it is always a good idea to monitor interactions with your S3 buckets, along with any changes made to those policies, ACLs, including who makes those changes.

How Prisma Fits In

Prisma Cloud (formerly RedLock) helps you manage Amazon S3 access control configurations and much more.
Please see the links below for more information on this and everything else that Prisma can do for you and your environment.

More Info

or more details on all of this, please see the full article that is published on our RedLock page, here: AWS Security Tips: Understanding Access Controls in Amazon S3.

Prisma Cloud

For more details on Prisma Cloud, discussion area, videos and articles, please visit the LIVEcommunity Prisma Cloud page here: Prisma Cloud in the LIVEcommunity.

OR you can also visit Palo Alto Networks Prisma Cloud page here: Public Cloud Products.

Thanks for taking the time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog area.

As always, we welcome all comments and feedback in the comments section below.

Stay Secure,
Joe Delio
End of line