How to configure an S3 bucket in Terraform to meet specific needs?

 In the context of DevOps, here are the steps given of how you can define a bucket policy in the terraform that Explicitly allows LogReaderRole to have S3: Gwtobject permission while all others are denied:-

Define the S3 bucket

Firstly, you would need to define the S3 bucket:

Resource “aws_s3_bucket” “log_bucket” {

  Bucket = “my-application-logs”

}

Creating the bucket policies

Now you can create or form a bucket policy:

Data “aws_iam_policy_document” “bucket_policy” {

  Statement {

    Actions   = [“s3:GetObject”]

    Resources = [“${aws_s3_bucket.log_bucket.arn}/*”]

    Principals {

      Type        = “AWS”

      Identifiers = [“arn:aws:iam::123456789012:role/LogReaderRole”]

    }

    Effect = “Allow”

  }

  Statement {

    Actions   = [“s3:*”]

    Resources = [“${aws_s3_bucket.log_bucket.arn}/*”]

    Effect    = “Deny”

    Condition {

      Test     = “Bool”

      Variable = “aws:SecureTransport”

      Values   = [“false”]

    }

  }

}

Attach the policy to the S3 bucket

After completing the process of formation of a policy, you can attach this created policy to your particular S3 bucket:

Resource “aws_s3_bucket_policy” “log_bucket_policy” {

  Bucket = aws_s3_bucket.log_bucket.id

  Policy = data.aws_iam_policy_document.bucket_policy.json

}

This would ensure that only the LogReaderRole should read from the bucket, while all others should be denied. 

Here is a Python-based scenario given of how you can use the Boto3 library to create an S3 Bucket and attach a policy that would ensure only a specific IAM role has read access. It would also include a part that denies all other access:-

Import boto3

Import json

# Initialize a session using Amazon S3

Session = boto3.Session(

    Aws_access_key_id=’YOUR_AWS_ACCESS_KEY’,

    Aws_secret_access_key=’YOUR_AWS_SECRET_KEY’,

    Region_name=’YOUR_AWS_REGION’

)

# Create an S3 client

S3_client = session.client(‘s3’)

# Specify the bucket name

Bucket_name = ‘my-application-logs’

# Create the S3 bucket

Try:

    S3_client.create_bucket(

        Bucket=bucket_name,

        CreateBucketConfiguration={

            ‘LocationConstraint’: ‘YOUR_AWS_REGION’

        }

    )

    Print(f’Bucket {bucket_name} created successfully.’)

Except Exception as e:

    Print(f’Error creating bucket: {e}’)

# Define the bucket policy

Bucket_policy = {

    “Version”: “2012-10-17”,

    “Statement”: [

        {

            “Effect”: “Allow”,

            “Principal”: {

                “AWS”: “arn:aws:iam::123456789012:role/LogReaderRole”

            },

            “Action”: “s3:GetObject”,

            “Resource”: f”arn:aws:s3:::{bucket_name}/*”

        },

        {

            “Effect”: “Deny”,

            “Principal”: “*”,

            “Action”: “s3:*”,

            “Resource”: f”arn:aws:s3:::{bucket_name}/*”,

            “Condition”: {

                “Bool”: {

                    “aws:SecureTransport”: “false”

                }

            }

        }

    ]

}

# Convert the policy to JSON

Bucket_policy_json = json.dumps(bucket_policy)

# Apply the policy to the S3 bucket

Try:

    S3_client.put_bucket_policy(

        Bucket=bucket_name,

        Policy=bucket_policy_json

    )

    Print(f’Policy attached to bucket {bucket_name} successfully.’)

Except Exception as e:

    Print(f’Error attaching policy: {e}’)

Here is the java based approach given :-

Import com.amazonaws.auth.AWSStaticCredentialsProvider;

Import com.amazonaws.auth.BasicAWSCredentials;

Import com.amazonaws.services.s3.AmazonS3;

Import com.amazonaws.services.s3.AmazonS3ClientBuilder;

Import com.amazonaws.services.s3.model.SetBucketPolicyRequest;

Public class S3BucketPolicyExample {

    Public static void main(String[] args) {

        String accessKey = “YOUR_ACCESS_KEY”;

        String secretKey = “YOUR_SECRET_KEY”;

        String region = “YOUR_REGION”;

        String bucketName = “my-logs”;

        String roleArn = “arn:aws:iam::123456789012:role/LogReaderRole”;

        // Create S3 client

        BasicAWSCredentials awsCreds = new BasicAWSCredentials(accessKey, secretKey);

        AmazonS3 s3Client = AmazonS3ClientBuilder.standard()

                .withRegion(region)

                .withCredentials(new AWSStaticCredentialsProvider(awsCreds))

                .build();

        // Define policy

        String bucketPolicy = “{

” +

                “  ”Version”: ”2012-10-17”,

” +

                “  ”Statement”: [

” +

                “    {

” +

                “      ”Effect”: ”Allow”,

” +

                “      ”Principal”: {”AWS”: ”” + roleArn + “”},

” +

                “      ”Action”: ”s3:GetObject”,

” +

                “      ”Resource”: ”arn:aws:s3:::” + bucketName + “/*”

” +

                “    }

” +

                “  ]

” +

                “}”;

        // Apply policy

        SetBucketPolicyRequest policyRequest = new SetBucketPolicyRequest(bucketName, bucketPolicy);

        S3Client.setBucketPolicy(policyRequest);

        System.out.println(“Policy set for bucket “ + bucketName);

    }

}