AWS S3

This package is here to integrate AWS S3 buckets creation and association to ECS Services.

Tip

For more details on the syntax, head to x-s3.

Constraints

S3 buckets are a delicate resource, mostly due to

  • Bucket names are within a global domain space, meaning, their can only be one bucket if a given name across all of AWS

  • IAM permissions for buckets require to differentiate permissions to the bucket and to the objects

  • Buckets also have policies, but we can’t add a statement to the policy, one need to update the whole policy with the new statement

Settings

AWS S3 bucket properties can be long and tedious to set correctly. To help with making your life easy, additional settings have been added to shorten the bucket definition.

  • ExpandRegionToBucket

  • ExpandAccountIdToBucket

  • EnableEncryption

Access types

For S3 buckets, the access types is expecting a object with objects and bucket to distinguish permissions for each. If you indicate a string, the default permissions (bucket: ListOnly and objects: RW) will be applied.

Full access types policies definitions
{
    "objects": {
        "RW": {
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*"
            ],
            "Effect": "Allow"
        },
        "StrictRW": {
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Effect": "Allow"
        },
        "StrictRWDelete": {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow"
        },
        "RWDelete": {
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*",
                "s3:DeleteObject*"
            ],
            "Effect": "Allow"
        },
        "ReadOnly": {
            "Action": [
                "s3:GetObject*"
            ],
            "Effect": "Allow"
        },
        "StrictReadOnly": {
            "Action": [
                "s3:GetObject"
            ],
            "Effect": "Allow"
        },
        "WriteOnly": {
            "Action": [
                "s3:PutObject*"
            ],
            "Effect": "Allow"
        },
        "StrictWriteOnly": {
            "Action": [
                "s3:PutObject"
            ],
            "Effect": "Allow"
        }
    },
    "bucket": {
        "ListOnly": {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ]
        },
        "PowerUser": {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucket*",
                "s3:SetBucket*"
            ]
        }
    }
}

Features

By default, if not specified, we have decided to encrypt files at rest with AES256 SSEAlgorithm. The reason for that choice is that, files are encrypted, for compliance, but without the complexity that KMS can bring and developers can easily forget about.

Also, objects are not locked, but, all public access is denied by default. You can obviously override these properties.

Lookup

Hint

If your bucket is encrypted with a KMS key, the IAM task role for your service is also granted access to that Key to manipulate the data in the bucket.