UNDERSTANDING REGEX ON MIKROTIK ROUTEROS
Monday, February 25, 2019
Sunday, February 24, 2019
AWS S3: policy examples
AmazonS3ReadOnlyAccess
Provides read only access to all buckets via the AWS Management Console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
AmazonS3FullAccess
Provides full access to all buckets via the AWS Management Console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Provides read only access to all buckets via the AWS Management Console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
AmazonS3FullAccess
Provides full access to all buckets via the AWS Management Console.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
AWS IAM: Starting with a user Checklist
Before start: Download policy csv and doc file.
Create user:
Attach with a group(s):
Email the credentials:
Download the CSV file, rename and upload to "S3 credential" folder:
Update the excel "Access table":
Update the "Policy details" doc:
Create the user_name policy as per "Access table":
Check with the "Access table":
Add permission to the user_*:
Check the user permission and group:
Test incognito window:
After bucket and user successful creation, please save and upload these two files in the cloud.
Close this window after save/upload/delete.
Create user:
Attach with a group(s):
Email the credentials:
Download the CSV file, rename and upload to "S3 credential" folder:
Update the excel "Access table":
Update the "Policy details" doc:
Create the user_name policy as per "Access table":
Check with the "Access table":
Add permission to the user_*:
Check the user permission and group:
Test incognito window:
After bucket and user successful creation, please save and upload these two files in the cloud.
Close this window after save/upload/delete.
Wednesday, February 20, 2019
AWS S3: public access settings
How Do I Block Public Access to S3 Buckets?
(collected from Amazon)
Amazon S3 block public access prevents the application of any settings that allow public access to data within S3 buckets.
Viewing Access Status
The list buckets view shows whether your bucket is publicly accessible.
- Public – Everyone has access to one or more of the following: List objects, Write objects, Read and write permissions.
- Objects can be public – The bucket is not public, but anyone with the appropriate permissions can grant public access to objects.
- Buckets and objects not public – The bucket and objects do not have any public access.
- Only authorized users of this account – Access is isolated to IAM users and roles in this account and AWS service principals because there is a policy that grants public access.
Editing Public Access Settings for an S3 Bucket
Access control lists (ACLs) are used to grant basic read/write permissions to other AWS accounts.
Bucket policies use JSON-based access policy language to manage advanced permission to your Amazon S3 resources.
1.
2.
Setting Bucket and Object Access Permissions
Bucket access permissions specify which users are allowed access to the objects in a bucket and which types of access they have. Object access permissions specify which users are allowed access to the object and which types of access they have. For example, one user might have only read permission, while another might have read and write permissions.
Bucket and object permissions are independent of each other. An object does not inherit the permissions from its bucket. For example, if you create a bucket and grant write access to a user, you will not be able to access that user’s objects unless the user explicitly grants you access.
To grant access to your buckets and objects to other AWS accounts and to the general public, you use resource-based access policies called access control lists (ACLs).
A bucket policy is a resource-based AWS Identity and Access Management (IAM) policy that grants other AWS accounts or IAM users access to an S3 bucket. Bucket policies supplement, and in many cases, replace ACL-based access policies.
Set Permissions on an Object
ACLs are resource-based access policies that grant access permissions to buckets and objects.
Owner access
The owner refers to the AWS account root user, and not an AWS Identity and Access Management (IAM) user.
Access for other AWS accounts
Public access
To grant access to your object to the general public (everyone in the world), underPublic access, choose Everyone. Granting public access permissions means that anyone in the world can access the object.
Warning
Everyone to Read objects only.
We highly recommend that you do not grant the Everyone group write object permissions. Doing so allows anyone to overwrite the ACL permissions for the object.
Bucket Policy
Cross-Domain Resource Sharing with CORS
Tuesday, February 19, 2019
AWS S3: Starting with a bucket: Checklist
Before start: Download policy csv and doc file.
To manage buckets you always need to do it in a consistent way.
To manage buckets you always need to do it in a consistent way.
Bucket name: "mg-my-bucket"
Versioning: if needed.
Replication: If needed.
Lifecycle is much important for a bucket:
Name of the Rules(example):
Close this window after save/upload/delete.
IAM S3 Bucket policy:
Versioning: if needed.
Replication: If needed.
Lifecycle is much important for a bucket:
Name of the Rules(example):
- "Delete the previous version after 90 days."
- "Transition to Standard-IA after 30, and to Glacier after 90 days."
- "Standard-IA - 30, Glacier - 90, delete the previous version - 29 days."
Configure expiration:
- Permanently delete previous versions.
- Clean up expired object delete markers.
Close this window after save/upload/delete.
Creating user:
Tags:
user: sharif
purpose: data research
location: dhaka
Policy name: user-nazzin
Description: Limited access - data-research-nazzin
Description: Limited access - data-research-nazzin
AWS S3 policy: allow access from the specific IP address
To allow IP from a specific address, you may think in different way.
Lets, enable selected actions in a policy. Then create a denied policy as bellow and attach it to a group.
Result: Access from these listed IPs are allowed!
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {
"ForAnyValue:NotIpAddress": {
"aws:SourceIp": [
"103.230.93.95/26",
"103.231.89.4/26"
]
}
}
}
]
}
Lets, enable selected actions in a policy. Then create a denied policy as bellow and attach it to a group.
Result: Access from these listed IPs are allowed!
Example:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Deny",
"Action": "s3:ListAllMyBuckets",
"Resource": "*",
"Condition": {
"ForAnyValue:NotIpAddress": {
"aws:SourceIp": [
"103.230.93.95/26",
"103.231.89.4/26"
]
}
}
}
]
}
Subscribe to:
Posts (Atom)