Databases Reference
In-Depth Information
Finally, the headers are constructed and the call to retrieve the object is made. As you
can see in listing 11.4, the encrypted signature is combined in the header with your S3
access key and the call is made.
Listing 11.4
XQuery for REST HTTP GET with the AWS security credentials
let $headers :=
<headers>
<header name="Authorization" value="AWS {$s3-access-key}:{$signature}"/>
<header name="x-amz-date" value="{$date}"/>
</headers>
let $url := concat($amazon-s3:endpoint, $bucket, '/', $object)
let $results := httpclient:get($url, false(), $headers)
In addition to the security for retrieving objects, S3 provides additional access-control
mechanisms (
ACM
s) that allow others to view, download, and update your buckets and
objects. For example:
Identity and Access Management (
IAM
)
Access-control lists (
ACL
s)
Bucket policies
11.3.1
Identity and Access Management (IAM)
IAM systems allow you to have multiple users within an
AWS
account, assign creden-
tials to each user, and manage their permissions. Generally,
IAM
systems are found in
organizations where there's a desire to grant multiple employees access to a single
AWS
account. To do this, permissions are managed using a set of
IAM
policies that are
attached to specific users.
For example, you can allow a user
dan
to have permission to add and delete images
from your
web-site-images
bucket.
11.3.2
Access-control lists (ACL)
Access-control lists can be used to grant access to either buckets or individual objects.
Like
IAM
systems, they only grant permissions and are unable to deny or restrict at an
account level. In other words, you can only grant other
AWS
accounts access to your
Amazon
S3
resources.
Each access-control list can have up to 100 grants, which can be either individual
account holders or one of Amazon's predefined groups:
Authenticated Users group
—Consists of all
AWS
accounts
All Users group
—Consists of anyone, and the request can be signed or unsigned
When using
ACL
s, a grantee can be an
AWS
account or one of the predefined Amazon
S3
groups. But the grantee can't be an
IAM
User.