Administering Account Resources
Describes how to set policies for controlling access.
Entities in an Account (users, groups, and policies) are treated as resources. Buckets are the containers that hold objects.
While specifying a policy document, the create and list operations are performed on a bucket. Hence, they are called bucket operations:
- create a user in the bucket sales
- list all users in the bucket sales
Other operations that act on a specific user, group, or policy are seen as being performed on a specific object(s). Therefore, they are seen as object operations.
Examples:
- user* (all users in an account)
- user/john (user john in a specific account)
- group* (all groups in an account)
- group/sales (group ‘sales’ in a specific account)
While specifying objects under the resource heading in a policy document, objects are specified in two formats:
- bucket* (one of the 3 bucket names followed by * to mean all objects in that bucket)
- bucket/object (one of the 3 bucket names followed by a slash and the object name, to specify a single object)
Bucket operations can be performed only on a Bucket resource, and Object operations can be performed only on an Object resource.
By default, the account administrator is allowed to perform all operations. The following policy framework applies when the Account Admin wants to allow other users in the account to perform the Admin Operations.
Principals Format
Principals are users or groups that are allowed access to specific operations and are part
of a policy under the Principal
tag of a JSON document. The format of the
principal is as follows:
arn:<domain_name>:<account_name>:user/<username>
User Admin Operations Authorization
Operation | Action | Resource/Values | Sample Statement |
---|---|---|---|
add (bucket operation) | admin:CreateUser | "arn:aws:s3:::user" |
meaning: User asok can create users in an account |
list (bucket operation) | admin:ListUsers | "arn:aws:s3:::user" |
meaning: User asok can list users in an account |
addgroups/removegroups (object operations) |
admin:AddUserToGroups admin:RemoveUserFromGroups |
|
Meaning: Users asok and joe can add groups to all users.
Meaning: User asok can remove groups only for user joe. |
disable/enable (object operations) |
admin:DisableUser admin:EnableUser |
|
Meaning: Users asok and joe can disable all
users.
Meaning: User asok can enable only user joe. |
remove info (object operations) |
admin:RemoveUser admin:GetUserInfo |
|
Meaning: Users asok and joe can fetch (display) information about
all
users.
Meaning: User asok can remove only user joe. |
Group Admin Operations Authorization
Operation | Action | Resource/Values | Sample Statement |
---|---|---|---|
add (bucket operation) | admin:CreateGroup | "arn : aws : s3 : : : group" |
meaning: User asok can create groups in an account. |
list (bucket operation) | admin:ListGroups | "arn : aws : s3 : : : group" |
meaning: User asok can list groups in an account. |
remove info (object operations) |
admin:RemoveGroup admin:GetGroupInfo |
|
meaning: User asok can remove group sales in an
account.
meaning: User sharad can remove any group in an account. |
Policy Admin Operations Authorization
Operation | Action | Resource/Values | Sample Statement |
---|---|---|---|
add, update, list, remove info (bucket operation) |
admin:CreatePolicy admin:ListPolicies admin:RemovePolicy admin:GetPolicyInfo |
"arn : aws : s3 : : :policy" |
meaning: user joe can read all policies and list all policies in the account. We are not trying to secure each policy separately. A user can operate on all policies or none. |
set, unset (object operations) |
|
|
meaning: user joe can attach and detach policies from all users. Here user is the resource that needs to be guarded, and hence the resource value will have user as the resource type. |
AccessKey Admin Operations Authorization
Operation | Action | Resource/Values | Sample Statement |
---|---|---|---|
(object operation on a user) |
|
|
None |