Understanding and Creating a Basic e3 Bucket Policy

In this guide we will walk you through the general structure of a bucket policy for our eazyBackup e3 object storage service and show you how to create a policy that denies a specific user from uploading any objects to a particular bucket.

What is a Bucket Policy?

A bucket policy is a set of rules (written in JSON format) that defines who can perform certain actions on a bucket and the objects within it. It's a great way to manage access permissions for your storage.

Structure of a Bucket Policy

A bucket policy consists of a few key components:

• Version: The policy language version (usually "2012-10-17").

• Statement: An array containing one or more individual permission statements. Each statement includes:

  • Sid (Statement ID): An optional identifier for your statement (e.g., "DenyUserUploads").

  • Effect: Specifies whether to "Allow" or "Deny" the action (a Deny always overrides an Allow).

  • Principal: The user, account, or service that the statement applies to.

  • Action: The specific e3 storage action(s) this statement controls (e.g., "s3:PutObject" for uploading).

  • Resource: The bucket or objects the statement applies to.

Finding Your Tenant ID and Username

To create a policy for a specific user, you'll need your Tenant ID and Username. You can find this information in your eazyBackup e3 Cloud Storage Dashboard:

1. Navigate to the Access Keys page.

2. You will find the Tenant ID and Username listed on the Access Keys page.

Constructing the Principal ARN

For e3 bucket policies, the Principal is typically specified using an Amazon Resource Name (ARN). For our service, you'll construct it like this:

arn:aws:iam::TENANT_ID:user/USERNAME

Replace TENANT_ID and USERNAME with the Tenant ID and Username you found in your Dashboard Access Keys page.

Example Policy: Deny All Uploads for a Specific User

Let's create a simple policy that denies the user (identified by their TENANT_ID and USERNAME) all s3:PutObject (upload) permissions for a bucket named your-bucket-name.

1. Replace Placeholders:

   • your-tenant-id with your actual Tenant ID.

   • your-username with your actual Username.

   • your-bucket-name with the name of the bucket you want to apply this policy to.

2. Policy JSON:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyAllUploadsForSpecificUser",
      "Effect": "Deny",
      "Principal": {
        "AWS": [
          "arn:aws:iam::your-tenant-id:user/your-username"
        ]
      },
      "Action": [
        "s3:PutObject"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}

Breakdown of the Example Policy:

• "Sid": "DenyAllUploadsForSpecificUser": The descriptive name for this rule.

• "Effect": "Deny": This rule will prevent the specified actions.

• "Principal": { "AWS": ["arn:aws:iam::your-tenant-id:user/your-username"] }: Identifies the specific e3 user this rule applies to. Note the use of an array [] around the ARN.

• "Action": ["s3:PutObject"]: Specifies that the action being denied is uploading objects. Note the use of an array [].

• "Resource": ["arn:aws:s3:::your-bucket-name/*"]: Specifies that this rule applies to all objects (/*) within the bucket named your-bucket-name. Note the use of an array [].

Applying the Policy

You can apply this policy to your bucket using S3-compatible tools like the AWS CLI, configured with the eazyBackup e3 service endpoint and credentials. When using the AWS CLI, you would typically save the policy to a JSON file (e.g., deny-uploads-policy.json) and then use a command like: aws s3api put-bucket-policy --bucket your-bucket-name --policy file://deny-uploads-policy.json --endpoint-url <e3_endpoint_url>

Important: Always test your policies carefully to ensure they grant or restrict access exactly as you intend.