1
00:00:06,990 --> 00:00:08,420
- Now let's review a demo

2
00:00:08,420 --> 00:00:12,133
of creating a bucket policy
for public read access.

3
00:00:13,844 --> 00:00:17,047
So we're back in S3 taking a look at the

4
00:00:17,047 --> 00:00:19,785
AWS Fundamentals 2nd Edition bucket

5
00:00:19,785 --> 00:00:20,750
that we created earlier.

6
00:00:20,750 --> 00:00:23,550
Here's an object that we uploaded earlier.

7
00:00:23,550 --> 00:00:26,860
And so, if we needed this bucket

8
00:00:26,860 --> 00:00:28,610
to be publicly accessible,

9
00:00:28,610 --> 00:00:31,400
if this bucket were meant to house

10
00:00:31,400 --> 00:00:33,430
some type of information
that you wanted to

11
00:00:33,430 --> 00:00:35,750
disseminate to the public at large,

12
00:00:35,750 --> 00:00:37,450
to anonymous users,

13
00:00:37,450 --> 00:00:39,953
then there are a couple
of ways to go about that.

14
00:00:41,081 --> 00:00:42,681
If we were to go to permissions,

15
00:00:44,125 --> 00:00:47,622
we could use access control lists,

16
00:00:47,622 --> 00:00:50,830
and we could say that

17
00:00:50,830 --> 00:00:53,950
everyone is allowed to do certain things.

18
00:00:53,950 --> 00:00:57,290
We could say everyone is allowed to list,

19
00:00:57,290 --> 00:01:00,720
and everyone is allowed to read,

20
00:01:00,720 --> 00:01:04,570
and those are fairly coarse grained.

21
00:01:04,570 --> 00:01:06,940
They actually provide a number

22
00:01:06,940 --> 00:01:10,440
of different operations within those.

23
00:01:10,440 --> 00:01:13,040
And I typically don't like
using access control lists,

24
00:01:13,040 --> 00:01:15,870
because they are very coarsely grained.

25
00:01:15,870 --> 00:01:17,700
If we were to use a policy,

26
00:01:17,700 --> 00:01:20,070
I'm going to go ahead and cancel that,

27
00:01:20,070 --> 00:01:22,520
because if we were to use a policy,

28
00:01:22,520 --> 00:01:24,780
then the bucket policy allows us to be

29
00:01:24,780 --> 00:01:26,500
much more granular,

30
00:01:26,500 --> 00:01:29,280
and we can specify
exactly which permissions

31
00:01:29,280 --> 00:01:31,340
we want people to have.

32
00:01:31,340 --> 00:01:35,330
And so going back here to
access control, for example,

33
00:01:35,330 --> 00:01:38,880
the read gives, like I said,

34
00:01:38,880 --> 00:01:41,810
the read bucket gives quite
a few different permissions.

35
00:01:41,810 --> 00:01:45,310
But maybe we only want them
to have some, but not others.

36
00:01:45,310 --> 00:01:48,173
And we can do that with bucket policies.

37
00:01:49,238 --> 00:01:51,234
And so with a bucket policy,

38
00:01:51,234 --> 00:01:52,850
it's very similar to policies

39
00:01:52,850 --> 00:01:55,840
that we might apply to
our users in groups.

40
00:01:55,840 --> 00:01:58,430
It's written in the same kind of language.

41
00:01:58,430 --> 00:02:00,723
So I'm gonna go ahead and paste one here,

42
00:02:01,662 --> 00:02:02,570
one that I've already prepared,

43
00:02:02,570 --> 00:02:03,780
and then we'll just talk through it.

44
00:02:03,780 --> 00:02:07,300
And you can see that we have a policy

45
00:02:07,300 --> 00:02:09,200
that includes a version and a statement.

46
00:02:09,200 --> 00:02:12,420
The version is not our version.

47
00:02:12,420 --> 00:02:16,120
This is the version of
the policy language,

48
00:02:16,120 --> 00:02:19,830
and so this is the date on which that

49
00:02:21,190 --> 00:02:25,030
version of that policy
language was last published,

50
00:02:25,030 --> 00:02:26,173
back in 2012.

51
00:02:27,378 --> 00:02:29,340
So again, when you see
versions within policies,

52
00:02:29,340 --> 00:02:32,090
whether it's an S3 bucket policy,

53
00:02:32,090 --> 00:02:34,193
or a policy applied to a user,

54
00:02:35,225 --> 00:02:38,600
that version is pulled
from the AWS documentation.

55
00:02:38,600 --> 00:02:39,550
And so then, of course,

56
00:02:39,550 --> 00:02:42,731
statement is really a
collection of statements,

57
00:02:42,731 --> 00:02:45,202
and we really only need one right here.

58
00:02:45,202 --> 00:02:46,873
So we have one statement here.

59
00:02:46,873 --> 00:02:50,314
And that statement says
that we are going to allow.

60
00:02:50,314 --> 00:02:51,640
This is the most important part

61
00:02:51,640 --> 00:02:52,680
of this whole thing right here.

62
00:02:52,680 --> 00:02:55,380
The principal, meaning we're
using an asterisk here,

63
00:02:55,380 --> 00:02:58,610
we're allowing anyone and everyone,

64
00:02:58,610 --> 00:03:01,000
including anonymous users,

65
00:03:01,000 --> 00:03:05,047
people who are not authenticated
against the AWS API.

66
00:03:05,047 --> 00:03:08,333
So essentially the
asterisk here means public.

67
00:03:08,333 --> 00:03:10,600
And then we're allowing
anyone and everyone

68
00:03:10,600 --> 00:03:14,580
the ability to perform
the S3 get object action,

69
00:03:14,580 --> 00:03:16,690
which means to download from anywhere

70
00:03:16,690 --> 00:03:18,200
in this particular bucket.

71
00:03:18,200 --> 00:03:20,440
So another important part
of this is the resource,

72
00:03:20,440 --> 00:03:24,290
and so we have the name
of the bucket here,

73
00:03:24,290 --> 00:03:27,410
and then slash star means

74
00:03:28,330 --> 00:03:30,660
all objects in the bucket.

75
00:03:30,660 --> 00:03:35,660
And so we could grant access
only to a limited prefix.

76
00:03:36,140 --> 00:03:38,870
We could say well, you're
allowed to download,

77
00:03:38,870 --> 00:03:42,203
but only from, only objects
with a common prefix.

78
00:03:43,110 --> 00:03:45,410
Or if we remove that again,

79
00:03:45,410 --> 00:03:48,150
then we're saying every
object in the bucket.

80
00:03:48,150 --> 00:03:49,730
And then, of course,

81
00:03:49,730 --> 00:03:51,050
we could list other actions.

82
00:03:51,050 --> 00:03:53,463
We could say get object version.

83
00:03:53,463 --> 00:03:56,159
We could say list bucket.

84
00:03:56,159 --> 00:03:57,480
There's a number of other
actions that we could get

85
00:03:57,480 --> 00:03:59,430
that we could grant access to.

86
00:03:59,430 --> 00:04:02,427
If we wanted the public at large,

87
00:04:02,427 --> 00:04:04,536
anyone and everyone, to upload,

88
00:04:04,536 --> 00:04:06,863
then we could also add the put object.

89
00:04:07,790 --> 00:04:11,270
Using put object would
allow people to upload.

90
00:04:11,270 --> 00:04:13,620
So we don't need to do that.

91
00:04:13,620 --> 00:04:18,620
So again, by allowing an
asterisk here for the principal,

92
00:04:19,100 --> 00:04:22,680
we're allowing everyone to
download objects from that bucket

93
00:04:22,680 --> 00:04:25,050
and I'm going to save that.

94
00:04:25,050 --> 00:04:28,463
And now at the console is warning me.

95
00:04:29,360 --> 00:04:32,600
Amazon has done a really
good job of highlighting

96
00:04:32,600 --> 00:04:35,680
buckets that provide public permission.

97
00:04:35,680 --> 00:04:38,670
And so keep in mind that it is

98
00:04:38,670 --> 00:04:40,940
the customers' responsibility

99
00:04:40,940 --> 00:04:44,750
to configure these policies appropriately.

100
00:04:44,750 --> 00:04:47,260
It is then your responsibility

101
00:04:47,260 --> 00:04:49,493
to communicate with members of your team.

102
00:04:50,514 --> 00:04:52,400
Hey, this particular bucket is public.

103
00:04:52,400 --> 00:04:55,000
Don't put sensitive information there.

104
00:04:55,000 --> 00:04:58,760
Now, it says this bucket
has public access.

105
00:04:58,760 --> 00:05:00,690
We highly recommend that you never grant

106
00:05:00,690 --> 00:05:03,448
any kind of public
access to your S3 bucket,

107
00:05:03,448 --> 00:05:05,200
but I think that's a little heavy-handed,

108
00:05:05,200 --> 00:05:07,890
because there are times
when you need to do that.

109
00:05:07,890 --> 00:05:09,928
If we were to go back,

110
00:05:09,928 --> 00:05:10,770
we looked at this bucket earlier,

111
00:05:10,770 --> 00:05:12,520
and then of course, while up here it shows

112
00:05:12,520 --> 00:05:14,566
that this is public as well,

113
00:05:14,566 --> 00:05:15,630
it's highlighting the
fact that it's public.

114
00:05:15,630 --> 00:05:18,917
But if we were to take a
look at cerulean dot systems,

115
00:05:18,917 --> 00:05:19,750
we looked at this earlier,

116
00:05:19,750 --> 00:05:21,500
the reason it needs to be public

117
00:05:21,500 --> 00:05:23,580
is because if we go to properties,

118
00:05:23,580 --> 00:05:27,000
this bucket is configured
for static website hosting.

119
00:05:27,000 --> 00:05:30,070
If it weren't publicly readable,

120
00:05:30,070 --> 00:05:32,590
then we would not be able to serve

121
00:05:32,590 --> 00:05:35,141
the website from the bucket.

122
00:05:35,141 --> 00:05:38,670
So I don't know if I necessarily
agree with that statement,

123
00:05:38,670 --> 00:05:41,886
never make them public.

124
00:05:41,886 --> 00:05:43,920
There are times and places
when you need to do that.

125
00:05:43,920 --> 00:05:46,090
My recommendation would be,

126
00:05:46,090 --> 00:05:48,690
be aware of what it means,

127
00:05:48,690 --> 00:05:51,060
and communicate to your team

128
00:05:51,060 --> 00:05:53,110
that information in that bucket

129
00:05:53,110 --> 00:05:55,783
is now publicly available.

130
00:05:57,257 --> 00:05:58,923
So again, just as a recap there,

131
00:05:59,787 --> 00:06:01,170
if you wanted to, if you had a need,

132
00:06:01,170 --> 00:06:03,750
to make certain buckets
publicly available,

133
00:06:03,750 --> 00:06:07,070
you could do that through
access control lists,

134
00:06:07,070 --> 00:06:09,263
or through bucket policies.