Skip to content

img0

Object Lock

Restricting Object Lock Usage

What if you want to restrict users from abusing or accidentally misusing Object Lock? We can use IAM to limit user permissions for Object Lock specifically.

Instructions

  1. Log-in to CMC as 'admin' user
  2. Navigate to Users & Groups, select the Engineering group and search, then click View User Data

  3. Create a new bucket for the engineer1 user called limited and enable Object Lock

  4. Click 'OK' on the warning that comes up

Instructions

  1. Click on Properties next to the limited bucket then select Object Lock
  2. Set the default mode as Compliance Mode then put 1 day for the retention period
  3. Click Save to save the defaults for the bucket

Important

We will now 'Enforce' the bucket defaults by creating an IAM user with limited permissions on the bucket. If you were to give your S3 clients the HyperStore user credentials, they will be able to override the bucket default per Object upload.

Instructions

  1. Log-in to CMC as the engineer1 user. You may have to type Engineering as the group name since we changed the CMC configuration earlier.
  2. Navigate to the IAM tab, then create a new IAM user called restricted
  3. Click on the restricted IAM user name then navigate to IAM POLICIES
  4. Click + ADD IAM POLICY then select Inline Policy
  5. Type no-object-lock as the policy name then click in the Policy Document area:
  6. Expand the List, Read, and Write fields
  7. Select all for List and Read fields
  8. Select PutObject for Write permission
  9. Notice that write permissions regarding Object lock is not selected
  10. Click Save then ADD the policy

Instructions

  1. Navigate to IAM ACCESS KEY then create a new keypair for restricted IAM user
  2. Keep the credentials handy for the next step

Important

For the next task we need to have access to a system with root still enabled. As node 5 was removed from our cluster before we disabled root, we can use this node to complete our tasks.

Instructions

  1. SSH into your Node 5 as root using the password provided by the instructor
  2. Configure the aws command using a profile name 
    aws configure --profile restricted
  3. Set your Access / Secret keypair
  4. Set the region name to region1
  5. Set the output format to json (lower case)

Instructions

  1. Set your S3 region endpoint replacing X with your student number 
    echo "export s3_endpoint=s3-region1.studentX.cloudian.tech" >> ~/.bash_profile && source ~/.bash_profile
  2. Issue a list bucket operation to test your credentials 
    aws s3api --profile restricted --endpoint-url http://$s3_endpoint list-buckets

Instructions

We are now ready to test the permissions for restricted IAM user

  1. create a new 5mb file 
    dd if=/dev/zero of=5mb bs=1M count=5
  2. Upload an object into the limited bucket 
    aws s3api --profile restricted --endpoint-url http://$s3_endpoint put-object --bucket limited --key 5mb --body ~/5mb
  3. List the limited bucket contents 
    aws s3api --profile restricted --endpoint-url http://$s3_endpoint list-objects --bucket limited
  4. List the versions of the limited bucket objects 
    aws s3api --profile restricted --endpoint-url http://$s3_endpoint list-object-versions --bucket limited

Info

Since restricted user has all list / read permissions, as well as putObject permission, this user is able to upload an object into the limited bucket and list its contents.

Instructions

  1. Upload an object and attempt to set the retention mode / period many years from now 
    aws s3api --profile restricted --endpoint-url http://$s3_endpoint put-object --bucket limited --key mylongobj --body ~/5mb --object-lock-mode GOVERNANCE --object-lock-retain-until-date 2030-01-01T00:00:00
    As expected, you are denied access from setting your own retention period.