Object Lock
Restricting Object Lock Usage
What if you want to restrict users from abusing or accidentally misusing Object Lock? We can use IAM to limit user permissions for Object Lock specifically.
Instructions
- Log-in to CMC as 'admin' user
- Navigate to Users & Groups, select the Engineering group and search, then click View User Data
-
Create a new bucket for the engineer1 user called limited and enable Object Lock
-
Click 'OK' on the warning that comes up
Instructions
- Click on Properties next to the limited bucket then select Object Lock
- Set the default mode as Compliance Mode then put 1 day for the retention period
- Click Save to save the defaults for the bucket
Important
We will now 'Enforce' the bucket defaults by creating an IAM user with limited permissions on the bucket. If you were to give your S3 clients the HyperStore user credentials, they will be able to override the bucket default per Object upload.
Instructions
- Log-in to CMC as the engineer1 user. You may have to type Engineering as the group name since we changed the CMC configuration earlier.
- Navigate to the IAM tab, then create a new IAM user called restricted
- Click on the restricted IAM user name then navigate to IAM POLICIES
- Click + ADD IAM POLICY then select Inline Policy
- Type no-object-lock as the policy name then click in the Policy Document area:
- Expand the List, Read, and Write fields
- Select all for List and Read fields
- Select PutObject for Write permission
- Notice that write permissions regarding Object lock is not selected
- Click Save then ADD the policy
Instructions
- Navigate to IAM ACCESS KEY then create a new keypair for restricted IAM user
- Keep the credentials handy for the next step
Important
For the next task we need to have access to a system with root still enabled. As node 5 was removed from our cluster before we disabled root, we can use this node to complete our tasks.
Instructions
- SSH into your Node 5 as root using the password provided by the instructor
- Configure the aws command using a profile name
aws configure --profile restricted
- Set your Access / Secret keypair
- Set the region name to region1
- Set the output format to json (lower case)
Instructions
- Set your S3 region endpoint replacing X with your student number
echo "export s3_endpoint=s3-region1.studentX.cloudian.tech" >> ~/.bash_profile && source ~/.bash_profile
- Issue a list bucket operation to test your credentials
aws s3api --profile restricted --endpoint-url http://$s3_endpoint list-buckets
Instructions
We are now ready to test the permissions for restricted IAM user
- create a new 5mb file
dd if=/dev/zero of=5mb bs=1M count=5
- Upload an object into the limited bucket
aws s3api --profile restricted --endpoint-url http://$s3_endpoint put-object --bucket limited --key 5mb --body ~/5mb
- List the limited bucket contents
aws s3api --profile restricted --endpoint-url http://$s3_endpoint list-objects --bucket limited
- List the versions of the limited bucket objects
aws s3api --profile restricted --endpoint-url http://$s3_endpoint list-object-versions --bucket limited
Info
Since restricted user has all list / read permissions, as well as putObject permission, this user is able to upload an object into the limited bucket and list its contents.
Instructions
- Upload an object and attempt to set the retention mode / period many years from now
As expected, you are denied access from setting your own retention period.
aws s3api --profile restricted --endpoint-url http://$s3_endpoint put-object --bucket limited --key mylongobj --body ~/5mb --object-lock-mode GOVERNANCE --object-lock-retain-until-date 2030-01-01T00:00:00