Learn about Prisma Cloud and Access Controls in Amazon S3. This article details how establish ACLs, AWS S3 bucket policies, and user-based policies. Also find helpful information for Prisma Cloud and how to find more resources on LIVEcommunity. Got questions? Get answers on LIVEcommunity!
Prisma Cloud and Access Controls in Amazon S3
As technology advances, things can get more complicated. And that is nothing new when it comes to moving into the cloud and integrating with Prisma. Things can get complicated quickly when working with Access Controls and Amazon S3. So I wanted to take a second and help out with some AWS security tips.
I will talk a little about access controls provided by AWS and correctly defining access to your S3 buckets and the objects it stores. The following areas will be discussed: S3 ACLs, S3 bucket policies, and user-based policies.
Amazon S3 ACLs
Access control lists help control access to S3 buckets and objects. You can see an example of this in the AWS web interface below:
This bucket will have public access. Everyone will have access to one or all of the following: list objects, write objects, read and write permissions.
Even though Amazon now offers AWS Identity and Access Management (IAM) to control access to a bucket, ACLs can still be useful if you need to control permissions on individual objects within a bucket. However, there are newer and cleaner methods to control this access, which I will talk about in the next sections.
AWS S3 Bucket Policies
An easy way to grant cross-account access without having to create roles using the “Principal” IAM element is to use S3 bucket policies. Here is an example of a bucket policy:
Example of an AWS S3 Bucket Policy
Please be aware that if you do not define the Principal IAM element properly, then you can inadvertently open up your bucket to the public.
Another way to control user-based access inside AWS is to use a user-based policy. When configuring a user-based policy, it is recommended to take a “least privilege” approach to limit the access to only what is needed. Here is an example:
An Example of AWS S3 User-Based Policy
Wrapping It All Up
You know about the ways to control the access: ACLs, buckets, and user-based policies, but how do those all fit together?
Per our recommendation of “least privilege,” access will only be granted if both a no explicit deny and explicit allow exists. Put in simpler terms, if nothing is allowed, then nothing is granted access. Also, an explicit deny will always overrule an explicit allow.
As with any security policy, it is always a good idea to monitor interactions with your S3 buckets, along with any changes made to those policies, ACLs, including who makes those changes.
How Prisma Fits In
Prisma Cloud (formerly RedLock) helps you manage Amazon S3 access control configurations and much more. Please see the links below for more information on this and everything else that Prisma can do for you and your environment.