From 7ffeb0cfde4a18613ddf7a410349cff8b30fc46f Mon Sep 17 00:00:00 2001 From: lason-ovh <115475837+lason-ovh@users.noreply.github.com> Date: Mon, 11 Aug 2025 17:17:41 +0200 Subject: [PATCH 1/8] Update guide.en-gb.md add support for ip filterinf --- .../guide.en-gb.md | 71 +++++++++++++++++++ 1 file changed, 71 insertions(+) diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md index 132d80b49f2..c47400f9fae 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md @@ -164,6 +164,77 @@ Some examples of JSON configuration files: } ``` + +**Allow read objects only for specific ips** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations for specific ips by whitelisting authorized ips** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read objects for specific ips by blacklisting unauthorized ips** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + + ### List of supported actions | Action | Scope | From 9030e0571fed002163a455f48b8a602cdc5ce86b Mon Sep 17 00:00:00 2001 From: lason-ovh <115475837+lason-ovh@users.noreply.github.com> Date: Mon, 11 Aug 2025 17:21:36 +0200 Subject: [PATCH 2/8] Update guide.fr-fr.md ajout du support pour le filtrage par ips --- .../guide.fr-fr.md | 70 +++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md index 8cf9ef086d0..a04367563f6 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md @@ -164,6 +164,76 @@ Quelques exemples de fichiers de configuration JSON : } ``` +**Accès en lecture sur les objets seulement à des ips specifiques** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Accès à toutes les opérations à des ips spécifiques en whitelistant les ips autorisées** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Refuser l'accès en lecture aux objets à des ips spécifiques en blacklistant les ips non-autorisées** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + + ### Liste des actions supportées | Action | Scope | From dce1f931b97f88f82dbbb2ad02614114a9a87db5 Mon Sep 17 00:00:00 2001 From: Yoann Cosse Date: Wed, 13 Aug 2025 15:40:00 +0200 Subject: [PATCH 3/8] Proofreading & duplication --- .../guide.de-de.md | 91 ++++++++++++++++++- .../guide.en-asia.md | 91 ++++++++++++++++++- .../guide.en-au.md | 91 ++++++++++++++++++- .../guide.en-ca.md | 91 ++++++++++++++++++- .../guide.en-gb.md | 9 +- .../guide.en-ie.md | 91 ++++++++++++++++++- .../guide.en-sg.md | 91 ++++++++++++++++++- .../guide.en-us.md | 91 ++++++++++++++++++- .../guide.es-es.md | 91 ++++++++++++++++++- .../guide.es-us.md | 91 ++++++++++++++++++- .../guide.fr-ca.md | 90 +++++++++++++++++- .../guide.fr-fr.md | 9 +- .../guide.it-it.md | 91 ++++++++++++++++++- .../guide.pl-pl.md | 91 ++++++++++++++++++- .../guide.pt-pt.md | 91 ++++++++++++++++++- 15 files changed, 1177 insertions(+), 23 deletions(-) diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md index 239d5bbec91..f7fec4e2a9a 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.de-de.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identitäts- und Zugriffsverwaltung (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-asia.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-au.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ca.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ca.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ca.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ca.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md index c47400f9fae..57799b7526b 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-07-11 +updated: 2025-08-25 --- ## Objective @@ -165,7 +165,7 @@ Some examples of JSON configuration files: ``` -**Allow read objects only for specific ips** +**Allow read access to objects only to specific IPs** ```json { @@ -189,7 +189,7 @@ Some examples of JSON configuration files: } ``` -**Allow all operations for specific ips by whitelisting authorized ips** +**Allow all operations to specific IPs by whitelisting authorized IPs** ```json { @@ -210,7 +210,7 @@ Some examples of JSON configuration files: } ``` -**Deny read objects for specific ips by blacklisting unauthorized ips** +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** ```json { @@ -234,7 +234,6 @@ Some examples of JSON configuration files: } ``` - ### List of supported actions | Action | Scope | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ie.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ie.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ie.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-ie.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-sg.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-sg.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-sg.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-sg.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-us.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-us.md index e345c6be963..55eae04b282 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-us.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-us.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identity and access management excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-es.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-es.md index 984d203cf6c..68d3d532509 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-es.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-es.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gestión de identidad y acceso (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-us.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-us.md index 984d203cf6c..68d3d532509 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-us.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.es-us.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gestión de identidad y acceso (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md index 2f8d7937ea7..b8a7ee6c713 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gestion des identités et des accès excerpt: Ce guide a pour objectif de vous montrer la gestion de vos identités et accès à vos ressources Object Storage -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objectif @@ -120,6 +120,24 @@ Quelques exemples de fichiers de configuration JSON : } ``` +**Refuser l'affichage de tous les buckets appartenant au compte.** + +> [!primary] +> +> L'action (`s3:ListAllMyBuckets`) est autorisée par défaut pour un utilisateur donné. Ajouter explicitement un `deny`{.action} si vous souhaitez refuser l'utilisation de l'opération d'API `ListBuckets`{.action}. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Autoriser toutes les opérations sur toutes les ressources d'un projet** ```json @@ -146,6 +164,75 @@ Quelques exemples de fichiers de configuration JSON : } ``` +**Aautoriser l'accès en lecture sur les objets uniquement à des IPs specifiques** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Autoriser l’accès à toutes les opérations uniquement depuis certaines adresses IP en utilisant une liste blanche des adresses autorisées** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Refuser l’accès en lecture aux objets depuis certaines adresses IP en utilisant une liste noire des adresses non autorisées.** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### Liste des actions supportées | Action | Scope | @@ -176,6 +263,7 @@ Quelques exemples de fichiers de configuration JSON : | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md index a04367563f6..b8a7ee6c713 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gestion des identités et des accès excerpt: Ce guide a pour objectif de vous montrer la gestion de vos identités et accès à vos ressources Object Storage -updated: 2025-07-11 +updated: 2025-08-25 --- ## Objectif @@ -164,7 +164,7 @@ Quelques exemples de fichiers de configuration JSON : } ``` -**Accès en lecture sur les objets seulement à des ips specifiques** +**Aautoriser l'accès en lecture sur les objets uniquement à des IPs specifiques** ```json { @@ -188,7 +188,7 @@ Quelques exemples de fichiers de configuration JSON : } ``` -**Accès à toutes les opérations à des ips spécifiques en whitelistant les ips autorisées** +**Autoriser l’accès à toutes les opérations uniquement depuis certaines adresses IP en utilisant une liste blanche des adresses autorisées** ```json { @@ -209,7 +209,7 @@ Quelques exemples de fichiers de configuration JSON : } ``` -**Refuser l'accès en lecture aux objets à des ips spécifiques en blacklistant les ips non-autorisées** +**Refuser l’accès en lecture aux objets depuis certaines adresses IP en utilisant une liste noire des adresses non autorisées.** ```json { @@ -233,7 +233,6 @@ Quelques exemples de fichiers de configuration JSON : } ``` - ### Liste des actions supportées | Action | Scope | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.it-it.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.it-it.md index 832d06b2d69..f047ebf9e3f 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.it-it.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.it-it.md @@ -1,7 +1,7 @@ --- title: Object Storage - Identità e gestione degli accessi (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pl-pl.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pl-pl.md index 38f19908239..b583e7cc36b 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pl-pl.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pl-pl.md @@ -1,7 +1,7 @@ --- title: Object Storage - Zarządzanie tożsamością i dostępem (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pt-pt.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pt-pt.md index c23c6ff8930..9c1bd3b8bc9 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pt-pt.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.pt-pt.md @@ -1,7 +1,7 @@ --- title: Object Storage - Gerenciamento de identidade e acesso (EN) excerpt: The purpose of this guide is to show you how to manage your identities and access your Object Storage resources -updated: 2025-03-21 +updated: 2025-08-25 --- ## Objective @@ -120,6 +120,24 @@ Some examples of JSON configuration files: } ``` +**Deny listing of all buckets owned by the parent account** + +> [!primary] +> +> The (`s3:ListAllMyBuckets`) action is allowed by default for a given user. Add the `deny`{.action} effect if you want to explictly refuse the use of the `ListBuckets`{.action} API operation. +> + +```json +{ + "Statement":[{ + "Sid": "DenyListBucket", + "Effect": "Deny", + "Action":["s3:ListAllMyBuckets"], + "Resource":["*"] + }] +} +``` + **Allow all operations on all project resources** ```json @@ -146,6 +164,76 @@ Some examples of JSON configuration files: } ``` + +**Allow read access to objects only to specific IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Allow all operations to specific IPs by whitelisting authorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Deny", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::companybucket", + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + ### List of supported actions | Action | Scope | @@ -176,6 +264,7 @@ Some examples of JSON configuration files: | s3:GetObjectRetention | Object | | s3:GetObjectTagging | Object | | s3:GetReplicationConfiguration | Bucket | +| s3:ListAllMyBuckets | Bucket | | s3:ListBucket | Bucket | | s3:ListBucketMultipartUploads | Bucket | | s3:ListMultipartUploadParts | Object | From 995e2812bba310dc1ad09b7de5417a257e0df8b4 Mon Sep 17 00:00:00 2001 From: benchbzh Date: Thu, 14 Aug 2025 09:04:52 +0200 Subject: [PATCH 4/8] minor update FR versions --- .../s3_identity_and_access_management/guide.fr-ca.md | 2 +- .../s3_identity_and_access_management/guide.fr-fr.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md index b8a7ee6c713..1d34b3e7075 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-ca.md @@ -164,7 +164,7 @@ Quelques exemples de fichiers de configuration JSON : } ``` -**Aautoriser l'accès en lecture sur les objets uniquement à des IPs specifiques** +**Autoriser l'accès en lecture sur les objets uniquement à des adresses IP specifiques** ```json { diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md index b8a7ee6c713..1d34b3e7075 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md @@ -164,7 +164,7 @@ Quelques exemples de fichiers de configuration JSON : } ``` -**Aautoriser l'accès en lecture sur les objets uniquement à des IPs specifiques** +**Autoriser l'accès en lecture sur les objets uniquement à des adresses IP specifiques** ```json { From 07920e70a348b23834a40fd281fed29255b6c753 Mon Sep 17 00:00:00 2001 From: lason-ovh <115475837+lason-ovh@users.noreply.github.com> Date: Thu, 21 Aug 2025 16:37:12 +0200 Subject: [PATCH 5/8] Update guide.fr-fr.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fix documentation car blacklist ips sera pas supporté --- .../guide.fr-fr.md | 48 ------------------- 1 file changed, 48 deletions(-) diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md index 1d34b3e7075..0138ac27db6 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md @@ -164,30 +164,6 @@ Quelques exemples de fichiers de configuration JSON : } ``` -**Autoriser l'accès en lecture sur les objets uniquement à des adresses IP specifiques** - -```json -{ - "Statement": { - "Sid": "ExampleStatement01", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Resource": [ - "arn:aws:s3:::companybucket/*" - ], - "Condition": { - "IpAddress": { - "aws:SourceIp": "10.0.0.5/16" - } - } - } -} -``` - **Autoriser l’accès à toutes les opérations uniquement depuis certaines adresses IP en utilisant une liste blanche des adresses autorisées** ```json @@ -209,30 +185,6 @@ Quelques exemples de fichiers de configuration JSON : } ``` -**Refuser l’accès en lecture aux objets depuis certaines adresses IP en utilisant une liste noire des adresses non autorisées.** - -```json -{ - "Statement": { - "Sid": "ExampleStatement01", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketVersions" - ], - "Resource": [ - "arn:aws:s3:::companybucket/*" - ], - "Condition": { - "NotIpAddress": { - "aws:SourceIp": "10.0.0.5/16" - } - } - } -} -``` - ### Liste des actions supportées | Action | Scope | From fa0d1b2d40b3ac6e71ffef5358b0dc7dd550eda4 Mon Sep 17 00:00:00 2001 From: lason-ovh <115475837+lason-ovh@users.noreply.github.com> Date: Thu, 21 Aug 2025 17:40:30 +0200 Subject: [PATCH 6/8] Update guide.en-gb.md overhaul user policy doc to explain that implicit deny is not supported --- .../guide.en-gb.md | 76 ++++++++++++++----- 1 file changed, 58 insertions(+), 18 deletions(-) diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md index 57799b7526b..4d3e7493e0f 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md @@ -81,6 +81,23 @@ Select the access profile for this user and click `Confirm`{.action}. ### Advanced resource access management +#### Overview +By default, all resources (buckets, objects) and sub-resources (lifecycle configuration, webite configuration, ...etc) are private in Object Storage. Only the resource owner, i.e the user account that creates it, has full control. + +Access to private resources can be granted via access policies. + +Access policies can be categorized broadly into 2 types : +- user based: access policies attached to a specific user are called user policies. A user policy is evaluated using Object Storage IAM permissions and applies only to the specific user it is attached to. +- resource based : bucket policies and ACLs are policies that are attached directly to specific resources + +Access policies attached to a specific user are called user policies. A user policy is evaluated using Object Storage IAM permissions and applies only to the specific user it is attached to. + +> [!primary] +> +> Bucket policies is a feature that is not yet available for Object Storage. This article is about user policies. +> +> + You can refine your permissions by importing a JSON configuration file. To do this, go to the `Object Storage Policy Users`{.action} tab. ![Object Storage users](images/highperf-identity-and-access-management-20220928084435242.png) @@ -91,8 +108,25 @@ Click on the `...`{.action} at the end of your user's line, then `Import JSON fi > > If you want to change a user's rights, you may need to download the JSON configuration file in advance by selecting `Download JSON File`{.action}. > +> + + +#### Understanding the user policy evaluation process +At the moment, user permissions are evaluated as follows: +1. if exists, evaluate user policy
+ 1.1 check for an explicit deny: if there is an explicit deny, then deny permission, else, check for an explicit allow
+ 1.2 check for an explicit allow: if there is an explicit allow, then allow permission
+ 1.3 if there is no explicit deny nor explicit allow, then fallback to ACLs
+2. fallback to ACLs -Some examples of JSON configuration files: +> [!primary] +> +> This evaluation process will be subject to change with the upcoming implementation of bucket policies. +> +> + + +#### Some examples of JSON configuration files: **Read/write access to a bucket and its objects** @@ -164,53 +198,59 @@ Some examples of JSON configuration files: } ``` - -**Allow read access to objects only to specific IPs** +**Allow all operations to specific IPs by whitelisting authorized IPs** ```json { "Statement": { "Sid": "ExampleStatement01", - "Effect": "Allow", - "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:ListBucketVersions" - ], + "Effect": "Deny", + "Action": "s3:*", "Resource": [ + "arn:aws:s3:::companybucket", "arn:aws:s3:::companybucket/*" ], "Condition": { - "IpAddress": { + "NotIpAddress": { "aws:SourceIp": "10.0.0.5/16" } } } -} +} ``` -**Allow all operations to specific IPs by whitelisting authorized IPs** + + +> [!primary] +> +> As a consequence of the current authorization process, **implicit** deny is **not** supported by OVHcloud Object Storage if the user is the bucket owner i.e since ACLs are evaluated by default and since the bucket owner has FULL_CONTROL ACL, if the user is the bucket owner and even if there is no explicit allow in the policy file, he will be authorized. +> + +The following policy to attempt to allow read access to objects only to specific IPs will **not** work under current conditions if attached to the bucket owner i.e even if the bucket owner makes his requests from IPs that are not in the specified range, he will be authorized. ```json { "Statement": { "Sid": "ExampleStatement01", - "Effect": "Deny", - "Action": "s3:*", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], "Resource": [ - "arn:aws:s3:::companybucket", "arn:aws:s3:::companybucket/*" ], "Condition": { - "NotIpAddress": { + "IpAddress": { "aws:SourceIp": "10.0.0.5/16" } } } -} +} ``` -**Deny read access to objects to specific IPs by blacklisting unauthorized IPs** +The following policy to attempt to deny read access to objects to specific IPs by blacklisting unauthorized IPs will **not** work under current conditions if attached to the bucket owner because there is no explicit deny and requests from the specified IPs will not match the allow, therefore, we fallback to the ACLs. ```json { From 5f264a6ef94cd35602cb3b3322bcd3d90833b3c4 Mon Sep 17 00:00:00 2001 From: lason-ovh <115475837+lason-ovh@users.noreply.github.com> Date: Thu, 21 Aug 2025 18:04:07 +0200 Subject: [PATCH 7/8] Update guide.fr-fr.md latest update: fr version --- .../guide.fr-fr.md | 82 ++++++++++++++++++- 1 file changed, 81 insertions(+), 1 deletion(-) diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md index 0138ac27db6..bc5edc6ed9d 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.fr-fr.md @@ -81,6 +81,18 @@ Sélectionnez le profil d'accès pour cet utilisateur et cliquez sur `Confirmer` ### Gestion avancée des accès aux ressources +#### Aperçu +Par défaut, toutes les ressources (buckets, objets) et sous-ressources (configuration de cycle de vie, configuration de site web, etc.) sont privées dans Object Storage. Seul le propriétaire de la ressource, c'est-à-dire le compte utilisateur qui l'a créée, dispose d'un contrôle total. + +L'accès aux ressources privées peut être accordé via des politiques d'accès. Les politiques d'accès peuvent être classées en deux grandes catégories : +- basées sur l'utilisateur : les politiques d'accès associées à un utilisateur spécifique sont appelées politiques utilisateur. Une politique utilisateur est évaluée à l'aide des autorisations IAM d'Object Storage et s'applique uniquement à l'utilisateur spécifique auquel elle est associée. +- basées sur les ressources : les bucket policies et les ACLs sont des politiques directement associées à des ressources spécifiques. + +> [!primary] +> +> Les bucket policies ne sont pas encore disponibles sur Object Storage. Cet article traite des politiques utilisateur. +> + Vous pouvez cependant affiner les droits via l'import d'un fichier de configuration JSON. Pour cela, rendez-vous dans l'onglet `Utilisateurs de stratégies Object Storage `{.action}. ![Object Storage users](images/highperf-identity-and-access-management-20220928084435242.png) @@ -92,7 +104,21 @@ Cliquez sur le bouton `...`{.action} à droite de votre utilisateur puis sur `I > Si vous souhaitez modifier les droits d'un utilisateur, téléchargez éventuellement le fichier de configuration JSON au préalable en sélectionnant `Télécharger le fichier JSON`{.action}. > -Quelques exemples de fichiers de configuration JSON : +#### Comprendre le processus d'évaluation des politiques utilisateur +Actuellement, les autorisations utilisateur sont évaluées comme suit : +1. si elle existe, évaluer la politique utilisateur sinon se référer aux ACLs
+ 1.1 vérifier s'il existe un refus explicite : s'il existe un refus explicite, refuser l'autorisation, sinon, vérifier s'il existe une autorisation explicite
+ 1.2 vérifier s'il existe une autorisation explicite : s'il existe une autorisation explicite, accorder l'autorisation
+ 1.3 s'il n'existe ni refus explicite ni autorisation explicite, se référer aux ACL
+2. Se référer aux ACLs + +> [!primary] +> +> Ce processus d'évaluation sera susceptible d'être modifié avec la mise en œuvre prochaine des bucket policies. +> + + +#### Quelques exemples de fichiers de configuration JSON : **Accès en lecture / écriture à un bucket et à ses objets** @@ -185,6 +211,60 @@ Quelques exemples de fichiers de configuration JSON : } ``` +> [!primary] +> +> En raison du processus d'autorisation actuel, le refus **implicite** n'est **pas** pris en charge par OVHcloud Object Storage si l'utilisateur est le propriétaire du bucket, c'est-à-dire que, puisque les ACLs sont évaluées par défaut et que le propriétaire du bucket dispose d'une ACL FULL_CONTROL, si l'utilisateur est le propriétaire du bucket, il sera autorisé même s'il n'y a pas d'autorisation explicite dans le fichier policy. +> + +La politique suivante visant à autoriser l'accès en lecture aux objets uniquement à des adresses IP spécifiques ne fonctionnera **pas** dans les conditions actuelles si elle est associée au propriétaire du bucket, c'est-à-dire que même si le propriétaire du bucket effectue ses requêtes à partir d'adresses IP qui ne se trouvent pas dans la plage spécifiée, il sera autorisé. + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "IpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + +La politique suivante visant à refuser l'accès en lecture à des objets à des adresses IP spécifiques en mettant sur liste noire les adresses IP non autorisées ne fonctionnera **pas** dans les conditions actuelles si elle est associée au propriétaire du compartiment, car il n'y a pas de refus explicite et les requêtes provenant des adresses IP spécifiées ne correspondront pas à l'autorisation. Par conséquent, nous nous rabattons sur les ACLs. + +```json +{ + "Statement": { + "Sid": "ExampleStatement01", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketVersions" + ], + "Resource": [ + "arn:aws:s3:::companybucket/*" + ], + "Condition": { + "NotIpAddress": { + "aws:SourceIp": "10.0.0.5/16" + } + } + } +} +``` + + ### Liste des actions supportées | Action | Scope | From 049b2536c87f32289afa2d9dacadfdd28e7e0b64 Mon Sep 17 00:00:00 2001 From: lason-ovh <115475837+lason-ovh@users.noreply.github.com> Date: Thu, 21 Aug 2025 18:06:39 +0200 Subject: [PATCH 8/8] Update guide.en-gb.md minor fixes on latest version --- .../s3_identity_and_access_management/guide.en-gb.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md index 4d3e7493e0f..1c718a3aaae 100644 --- a/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md +++ b/pages/storage_and_backup/object_storage/s3_identity_and_access_management/guide.en-gb.md @@ -84,13 +84,10 @@ Select the access profile for this user and click `Confirm`{.action}. #### Overview By default, all resources (buckets, objects) and sub-resources (lifecycle configuration, webite configuration, ...etc) are private in Object Storage. Only the resource owner, i.e the user account that creates it, has full control. -Access to private resources can be granted via access policies. - -Access policies can be categorized broadly into 2 types : +Access to private resources can be granted via access policies. Access policies can be categorized broadly into 2 types : - user based: access policies attached to a specific user are called user policies. A user policy is evaluated using Object Storage IAM permissions and applies only to the specific user it is attached to. - resource based : bucket policies and ACLs are policies that are attached directly to specific resources -Access policies attached to a specific user are called user policies. A user policy is evaluated using Object Storage IAM permissions and applies only to the specific user it is attached to. > [!primary] > @@ -113,7 +110,7 @@ Click on the `...`{.action} at the end of your user's line, then `Import JSON fi #### Understanding the user policy evaluation process At the moment, user permissions are evaluated as follows: -1. if exists, evaluate user policy
+1. if exists, evaluate user policy else fallback to ACLs
1.1 check for an explicit deny: if there is an explicit deny, then deny permission, else, check for an explicit allow
1.2 check for an explicit allow: if there is an explicit allow, then allow permission
1.3 if there is no explicit deny nor explicit allow, then fallback to ACLs