Learn about Prisma Cloud and Access Controls in Amazon S3. This article details how establish ACLs, AWS S3 bucket policies, and user-based policies. Also find helpful information for Prisma Cloud and how to find more resources on LIVEcommunity. Got questions? Get answers on LIVEcommunity!
As technology advances, things can get more complicated. And that is nothing new when it comes to moving into the cloud and integrating with Prisma. Things can get complicated quickly when working with Access Controls and Amazon S3. So I wanted to take a second and help out with some AWS security tips.
I will talk a little about access controls provided by AWS and correctly defining access to your S3 buckets and the objects it stores. The following areas will be discussed: S3 ACLs, S3 bucket policies, and user-based policies.
Amazon S3 ACLs
Access control lists help control access to S3 buckets and objects. You can see an example of this in the AWS web interface below:
Even though Amazon now offers AWS Identity and Access Management (IAM) to control access to a bucket, ACLs can still be useful if you need to control permissions on individual objects within a bucket. However, there are newer and cleaner methods to control this access, which I will talk about in the next sections.
AWS S3 Bucket Policies
An easy way to grant cross-account access without having to create roles using the “Principal” IAM element is to use S3 bucket policies. Here is an example of a bucket policy:
Please be aware that if you do not define the Principal IAM element properly, then you can inadvertently open up your bucket to the public.
User-Based Policy
Another way to control user-based access inside AWS is to use a user-based policy. When configuring a user-based policy, it is recommended to take a “least privilege” approach to limit the access to only what is needed. Here is an example:
Wrapping It All Up
You know about the ways to control the access: ACLs, buckets, and user-based policies, but how do those all fit together?
Per our recommendation of “least privilege,” access will only be granted if both a no explicit deny and explicit allow exists. Put in simpler terms, if nothing is allowed, then nothing is granted access. Also, an explicit deny will always overrule an explicit allow.
As with any security policy, it is always a good idea to monitor interactions with your S3 buckets, along with any changes made to those policies, ACLs, including who makes those changes.
How Prisma Fits In
Prisma Cloud (formerly RedLock) helps you manage Amazon S3 access control configurations and much more.
Please see the links below for more information on this and everything else that Prisma can do for you and your environment.
More Info
or more details on all of this, please see the full article that is published on our RedLock page, here: AWS Security Tips: Understanding Access Controls in Amazon S3.
Prisma Cloud
For more details on Prisma Cloud, discussion area, videos and articles, please visit the LIVEcommunity Prisma Cloud page here: Prisma Cloud in the LIVEcommunity.
OR you can also visit Palo Alto Networks Prisma Cloud page here: Public Cloud Products.
Thanks for taking the time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog area.
As always, we welcome all comments and feedback in the comments section below.
Stay Secure,
Joe Delio
End of line
- kiwi on: Get to know Cyber Elite: @MP18
- nishetty on: Celebrating Women’s Equality Day
- vkannan on: Panorama Orchestrated Azure Deployments Now in Beta
- kiwi on: What Are Applications and Services?
- jdelio on: More on SSL Decryption
- mike.pochan on: Coming Soon: Prisma Access 1.7
-
Infrastructure_
TBS on: New GlobalProtect 5.2 Is Here -
icharkashy
on:
How To Configure SNMP Traps Log Forwarding
- Networks01 on: HTTP/2 Inspection
-
vjowers
on:
Celebrating Social Media Day
