Overview
This document is the reference point for tagging AWS S3 access controls. Please refer to Infra-Tagging-Guidance for the necessary context.
We have decided to use aws s3 access points to scale our s3 permision policies. This document is only about the access controls; for more information about our design of s3 buckets please refer to AWS S3 Buckets document.
Since s3 buckets’ abacs does not comply with our needs, these tags are FYIs and do not have direct effect on access controls. See the AWS S3 Buckets document on the model.
Access Levels
Currently, we have three clearly defined access levels on s3 buckets: read, write, and custodian.
In this section, we define these levels.
Read
These principals just have read permission to a bucket’s objects using a dedicated access point.
| Key | ac:readers |
| Value | Delimited list of roles’ id:team and/or id:function tags |
| Example | :ace-infra:ace: |
| Duties | Have read access to the bucket using their access points |
| Allowed Actions | Read the objects see policy here |
| Implications | For each team in this tag there should be an access point with name `<bucket-name |
NOTES:
- Read the docs on access points here.
Write
These principals have write object permission to a bucket’s objects using a dedicated access point.
| Key | ac:writers |
| Value | Delimited list of roles’ id:team and/or id:function tags |
| Example | :ace-infra:ace: |
| Duties | Have full access to the bucket’s objects using their access points |
| Allowed Actions | Read the objects see policy here |
| Implications | For each team in this tag there should be an access point with name <bucket-name>-full-<id:team> |
NOTES:
- Read the docs on access points here.
Custodian
These principals have write object permission to a locked bucket’s objects using a dedicated access point.
| Key | ac:custodians |
| Value | Delimited list of roles’ id:team and/or id:function tags |
| Example | :ace-infra:ace: |
| Duties | Have full access to the bucket’s objects using their access points |
| Allowed Actions | Read the objects see policy here |
| Implications | For each team in this tag there should be an access point with name <bucket-name>-full-<id:team> |
NOTES:
- Read the docs on access points here.
- This level is only used on locked buckets; e.g., dataset-buckets.
ToDos
Extra Access Levels for s3
During the design period we have the following access levels in mind but they are not needed at this moment. We keep them here implement if needed in the future.
| Level | Duties |
|---|---|
| browser | list s3 bucket contents (not the objects) |
| contributer | Can write and update but no delete permision |
| admin | Have access to change bucket properties (including the access controls, etc) |