Here are a couple of quick example IAM policies to secure a user on AWS S3 access either to a single bucket, or a sub folder in a S3 bucket (shared bucket). Using these rules should allow users to use tools like cloudberry or S3fox without problems, if you are too strict these tend to fail.

First log into the AWS console and create a new IAM user, then just edit the below policies and change the <>’s to your required values. You then need to paste that into a custom policy for your newly created user.

Lock a user into a S3 bucket

You’ll need to let the user list all the bucket names in order to allow a lot of the third party tools to work. If they try and browse the wrong bucket they’ll get access denied.

{
"Statement":[{
  "Effect":"Allow",
  "Action":"s3:ListAllMyBuckets",
  "Resource":"arn:aws:s3:::*"
 },
 {
  "Effect":"Allow",
  "Action": [
    "s3:ListBucket",
    "s3:ListBucketMultipartUploads",
    "s3:ListBucketVersions"
  ],
  "Resource":"arn:aws:s3:::<your_bucketname>"
 },
 {
  "Effect":"Allow",
  "Action":  [
    "s3:*Object*",
    "s3:ListMultipartUploadParts",
    "s3:AbortMultipartUpload"
  ],
  "Resource":"arn:aws:s3:::</your_bucketname><your_bucketname>/*"
 }
]
}

To break this policy down rule by rule:

  • Allow all bucket names to be listed in the account.
  • Allow all files and folders within the specified bucket to be listed.
  • Allow a user to add and delete files and folders within the specified bucket and sub folder.

Lock a user into a single directory in a S3 shared bucket

This is more complex, as you have to allow a user to list all the folders in a bucket in order for the tools like S3fox to work but then deny anything else below in all but the allowed directories.

{
"Statement":[{
  "Effect":"Allow",
  "Action":"s3:ListAllMyBuckets",
  "Resource":"arn:aws:s3:::*"
 },
 {
  "Effect":"Allow",
  "Action":"s3:ListBucket",
  "Resource":"arn:aws:s3:::</your_bucketname><your_bucketname>"
 },
 {
  "Effect":"Deny",
  "Action": [
    "s3:ListBucket",
    "s3:ListBucketMultipartUploads",
    "s3:ListBucketVersions"
  ],
  "Resource":"arn:aws:s3:::</your_bucketname><your_bucketname>",
  "Condition":{
    "StringLike":{
      "s3:prefix":"*/*"
    },
    "StringNotLike": {
      "s3:prefix": "<your_folder>/*"
    }
  }
 },
 {
  "Effect":"Allow",
  "Action":  [
    "s3:*Object*",
    "s3:ListMultipartUploadParts",
    "s3:AbortMultipartUpload"
  ],
  "Resource":"arn:aws:s3:::<your_bucketname>/<your_folder>/*"
 }
]
}

To break this rule set down rule by rule:

  • Allow all bucket names to be listed in the account.
  • Allow all files and folders within the specified bucket to be listed.
  • Deny be default listing files within a directory except for the specified folder.
  • Allow a user to add and delete files and folders within the specified bucket and sub folder.
by-nc
, , ,

Node JS LogoI’ve just uploaded the latest .debs to launchpad for nodeJS v0.8 and npm 1.1.32. This should bring you a whole host of fixes and new features. The cluster functionality is far better now and the new module on the block is the domain features which allows you to group multiple IO features and handle them more efficiently. You can grab the latest packages here:

https://launchpad.net/~richarvey/+archive/nodejs

or by running:

add-apt-reposiotry ppa:richarvey/nodejs

apt-get update

apt-get install nodejs npm

I’ve also tested out the node-wwwfier project with the latest version and that’s still running sweetly.

by-nc
, , , ,

So you may of seen my recent posts about supporting the open standards policy within the UK government. I aim to answer a few questions it may of raised.

Why is this important?

Open standards allows anyone to reuse data and interact with services provided by the government. It fuels innovation and business, allowing access to public data can mean you can offer a valued added service that can support your customers better. To the normal end user this may not seem like much, but to those in business it can a critical source of information. Data such as the crime in an area is useful on sites selling houses for example, then there is transport information and plethora of other resources.

Being an open and published standard it lowers the cost of entry for data reuse. Open Standards allow anyone with technical knowledge to start using it. If this data was to be controlled by a larger company that doesn’t use open standards we have vendor lock in. This is going to create a cost barrier to anyone wishing to use the data, this might be in the form of training, sdk or software licensing. In my opinion these barriers often deter innovation purely because of costs, and that’s exactly what we can stop if we get behind the policy.

Not just data!

This isn’t just about data. Lets say you have an open source product (a blog, a database or even an OS), and your business model is to sell support. Helping this policy become a reality is also vital for you. All of a sudden you have a level playing field to compete for tenders with the government against large contracts. No longer are you going to be in the situation where you don’t stand a chance of winning a contract against the software giants of our industry. You can learn and develop the products without restrictions, without having to buy a license, with only time invested you can be industry experts and have a service or product as good as larger companies. This is great for SME’s and in turn great for the economy!

Where policy goes others follow.

This policy has implications outside of the government also. You often find where a government sets a policy industry often follows suite, this can only be a good thing for SME’s. If one government adopts this policy others are likely to consider this too this has global implications. This is why the larger companies are pouring resources into discrediting open standards.

Arguments against.

I’ve heard a couple of very thin arguments against Open Standards, one being that it “discourages innovation”, my answer to this is you are reading this article on the web. The web is probably the best example of an Open Standard and who can deny that its been responsible for a massive amount of innovation over the last 20+ years. In fact the very same companies who oppose this policy are also touting HTML5 an Open Standard itself as the future of applications.

As a note lets not forget http://www.number10.gov.uk/ is powered by an open source CMS.

What can you do?

Head over to http://open.squarecows.com and hit reply. If you have time please fill in some recommendations and ideas you may have around the subject. This kind of feed back will be crucial to the debate. I’m merely looking to even the fight and put forward the merits of being open, and allowing everyone to take part.

Also please spread the word and get everyone you know to take part in supporting open standards. take to the social networks/email/phone and hey why not fax and send everyone to http://open.squarecows.com

Who needs to fill in the form?

Anyone! Individuals and organisations. If you’ve had a open source success please say why and how it fuels by open standards. You don’t have to be UK based to take part either, the companies who are currently lobbying against this aren’t after all.

 

by-nc
, , , , ,
You are protected by wp-dephorm: