Creating an e3 Bucket Policy to Allow Specific File Extensions

In this guide we will explain how to create an e3 bucket policy that restricts uploads to only allow files with specific extensions (e.g., only .zip files) for a particular user. All other file types will be denied.

Basic Policy Structure

This policy uses the same JSON structure as described in "Understanding and Creating a Basic e3 Bucket Policy." Ensure you are familiar with Version, Statement, Sid, Effect, Principal, Action, and Resource.

You will also need your Tenant ID and Username from the eazyBackup e3 Cloud Storage Dashboard (Access Keys page) to construct the Principal ARN: arn:aws:iam::TENANT_ID:user/USERNAME.

The Logic: Deny if NOT the Allowed Type

To allow only specific file extensions, we use a Deny rule. The logic is: "Deny the upload action if the file being uploaded is NOT one of the allowed types." This is achieved using the NotResource element.

Example Policy: Allow Only .zip File Uploads

This policy will deny the user from uploading any file to your-bucket-name unless the file has a .zip extension.

1. You will need to replace the placeholders:

   • your-tenant-id with your actual Tenant ID.

   • your-username with your actual Username.

   • your-bucket-name with the name of the bucket.

2. Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOnlyZipUploads",
      "Effect": "Deny",
      "Principal": {
        "AWS": [
          "arn:aws:iam::your-tenant-id:user/your-username"
        ]
      },
      "Action": [
        "s3:PutObject"
      ],
      "NotResource": [
        "arn:aws:s3:::your-bucket-name/*.zip"
      ]
    }
  ]
}

Explanation of the Example Policy:

• "Sid": "AllowOnlyZipUploads": A descriptive name for this rule.

• "Effect": "Deny": This rule will prevent uploads if the condition (defined by NotResource) is met.

• "Principal": { "AWS": ["arn:aws:iam::your-tenant-id:user/your-username"] }: Identifies the specific e3 user this rule applies to.

• "Action": ["s3:PutObject"]: Specifies that the action being controlled is uploading objects.

• "NotResource": ["arn:aws:s3:::your-bucket-name/*.zip"]: This means the Deny effect applies if the object being uploaded does NOT match the pattern arn:aws:s3:::your-bucket-name/*.zip.

  • If a user tries to upload archive.zip, its resource name matches the pattern in NotResource. Therefore, this Deny rule does not apply, and the upload is effectively allowed (assuming no other Deny rules prevent it).

  • If a user tries to upload document.txt, its resource name does not match *.zip. Thus, the Deny rule will apply, and the upload is blocked.

• Make sure to note the use of arrays [] for Principal.AWS, Action, and NotResource values.

Adapt this for Other or Multiple File Extensions:

• Different Single Extension: To allow only .jpg files, change *.zip to *.jpg in the NotResource ARN: "arn:aws:s3:::your-bucket-name/*.jpg"

• Multiple Allowed Extensions: If you want to allow multiple extensions (e.g., .jpg and .png), add each pattern as a separate string in the NotResource array:

"NotResource": [
  "arn:aws:s3:::your-bucket-name/*.jpg",
  "arn:aws:s3:::your-bucket-name/*.png"
]

• In this example, the Deny will apply if the file is not a .jpg AND not a .png.

Applying the Policy

Save your policy to a JSON file and apply it using an S3-compatible tool like the AWS CLI, that is set up with the e3 service endpoint. Example: aws s3api put-bucket-policy --bucket your-bucket-name --policy file://allow-zips-policy.json --endpoint-url <e3_endpoint_url>

Important:

• Testing is Important: After applying the policy, test by trying to upload allowed file types (which should succeed) and disallowed file types (which should be denied).

• This policy specifically controls the s3:PutObject action. If users need other permissions (like deleting specific file types), you would need additional or different policy statements. Please feel free to ask our team for assistance creating a policy that meets your requirements.