One of the lingering problems with adoption of cloud computing has been the issue of facilitating access – both for the end-user and for the IT professional.
In a move that addresses these concerns, Amazon Web Services announced yesterday that it had added support for Bucket Policies. These policies will provide a single mechanism for managing access to the Amazon S3 buckets and for the objects stored in them. These policies are expressed using Amazon’s Access Policy Language, which will centralize and refine permissions management.
The Old Controls
Prior to the announcement, there were two access control mechanisms for Amazon S3: query string authentication and the Access Control List. The former creates a URL that will grant temporary access to a bucket. The latter provides for selective access, with certain permissions – read, write, read ACL, write ACL – designated for certain people. One of the drawbacks to either of these methods was that new objects added to a bucket required their access controls be set individually.
The New Controls
So while these ACLs grant permission on an object-by-object basis, the new bucket policies allow a much more granulate level of control. Permissions can be added or denied across all or a subset of the objects within a single bucket. The policies can include references to IP addresses and ranges, dates, the HTTP referrer, and transports (http and https).
As AWS notes in their explanation of the new bucket policies, this allows you to, for example, allow write access to a particular S3 bucket only from your corporate networ during business hours from your custom application (as identified by a user agent string).
These new bucket policies are designed to facilitate the way in which information is stored and accessed in the cloud, adding to IT’s security and management toolkit