Karan Idnani's Blog
Day 67: AWS S3 Bucket Creation and Management

Day 67: AWS S3 Bucket Creation and Management

Karan Idnani's photo
Karan Idnani
ยท

4 min read

AWS S3 Bucket

Amazon S3 (Simple Storage Service) is an object storage service that offers industry-leading scalability, data availability, security, and performance. It can be used for a variety of use cases, such as storing and retrieving data, hosting static websites, and more.

In this task, you will learn how to create and manage S3 buckets in AWS.

Task

  • Create an S3 bucket using Terraform.
resource "aws_s3_bucket" "my_bucket" { 
bucket = "<unique_bucket_name>" 
}

The declaration of aws_s3_bucket resource results in the creation of a new S3 bucket. The identifier "my_bucket" uniquely represents this resource within your Terraform code and can be customized to suit your preference. Initialize the working directory and download necessary providers by executing the terraform init command.

Generate an execution plan with terraform plan to analyze the changes required for achieving the desired infrastructure state.

Apply the changes using terraform apply to create or update resources as necessary.

The S3 bucket has been successfully created.

2. Configure the bucket to allow public read access.

Step-01: Begin by creating a new file named "public_access.tf" and insert the following Terraform code:

resource "aws_s3_bucket_public_access_block" "example" {
  bucket = aws_s3_bucket.devops_name_bucket_1.id

  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_acl" "bucket_acl" {
  bucket = aws_s3_bucket.devops_name_bucket_1.id
  acl    = "public-read"
}

In this Terraform configuration:

  • The aws_s3_bucket_public_access_block resource configures the control of public access to the "devops_name_bucket_1" S3 bucket. It explicitly allows public ACLs, public policies, and public bucket access.

  • The aws_s3_bucket_acl resource defines an Access Control List (ACL) for the "devops_name_bucket_1" S3 bucket, setting it to "public-read." This setup grants public read access to objects within the bucket.

Step-02: Proceed to the AWS S3 bucket, navigate to Permissions, and enable ACLs by editing object permissions.

Note- This is done so that we do not get access denied error.

Step-03: Apply the Terraform code using the command:

terraform apply

Step-04: Check the AWS Console to verify that the S3 bucket is now public as intended

3. Enable versioning on the S3 bucket.

The versioning configuration is specified, with the "enabled" attribute set to true. This activates versioning for the S3 bucket, ensuring that multiple versions of each object stored in the bucket are retained.

Versioning for the bucket has been successfully enabled.

4. Create an S3 bucket policy that allows read-only access to a specific IAM user.

resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = aws_s3_bucket.my_bucket.id
  policy = data.aws_iam_policy_document.allow_read_only_access.json
}

data "aws_iam_policy_document" "allow_read_only_access" {
  statement {
    principals {
      type        = "AWS"
      identifiers = ["683633011377"]
    }

    actions = [
      "s3:GetObject",
      "s3:ListBucket",
    ]

    resources = [
      aws_s3_bucket.my_bucket.arn,
      "${aws_s3_bucket.my_bucket.arn}/*",
    ]
  }
}

To grant read-only access to a designated IAM user or role, the configuration establishes an S3 bucket policy through the "aws_s3_bucket_policy" resource. This policy is linked to the S3 bucket resource "aws_s3_bucket.my_bucket" using the "bucket" parameter, while the "policy" parameter references the Terraform data source "data.aws_iam_policy_document.allow_read_only_access.json," defining the policy document.

The policy document creation involves the "data" block, constituting a Terraform data source. Within "data.aws_iam_policy_document.allow_read_only_access," the policy document outlines permissions in JSON syntax, allowing read-only access to the specified S3 bucket for a designated IAM user or role.

This policy document features a single "statement" block, detailing the permissions granted. Specifically, it permits "s3:GetObject" and "s3:ListBucket" actions for the designated bucket and its objects. The "principals" block identifies the AWS user or role, with the "identifiers" field specifying the AWS account ID of the recipient of read-only access.

Execute terraform apply to implement the configuration.

A tailored S3 bucket policy has been established, granting read-only access to the specified IAM user. Check in Permissions panel > Bucket Policy

These practical steps provide a solid foundation for understanding and managing AWS S3 buckets, ensuring that you can effectively handle your cloud-based data storage needs while maintaining security and accessibility.

Keep exploring the vast world of AWS services and stay curious about the ever-evolving technology landscape.

ย