download free 30 days trial version buy Bucket Explorer
   Documentation   Download   Purchase   Support   FAQs    Forum    Demo  

ACL Security

On-line support for Bucket Explorer for Amazon S3
Post a reply

ACL Security

Postby ispasic on Thu Jun 19, 2008 1:04 am

This is about ACL security between a shared bucket and objects inside the bucket.
We have purchased 5 bucketexplorer licenses to use as our preferred :) admin tool for Amazon S3. I then created a bucket called eg ...downloads-mycomp-com... and made changes to our DSN to point to our s3 account and made bucket shareable. This is all fine so I’ll move to the next point; within the bucket we created 5 folders for 5 administrators (eg Public, Marketing, Backup, RND, ETC,).

Now I need to limit their Write access only to their download/upload areas (eg ...downloads-mycomp-com/marketing/... where only the marketing admin should have write access).
Hence, all 5 administrators have their Amazon registered accounts and access to the shared bucket.

What ever scenario I tried I couldn’t get the ACL work correctly!!! :(

Are there limitations with Amazon S3 AWS or something to do with Bucketexplorer functionality accessing S3 AWS ?

Hence, I'm trying to avoid (as a workaround) creating a separate buckets and CNAMEs for each of those 5 folders in attempt to limit write access other then to their own.

Thanks in advance,
Ivan
ispasic
 
Posts: 3
Joined: Thu Jun 19, 2008 12:21 am
Location: Australia
Top

Postby saurabh on Thu Jun 19, 2008 11:41 am

I plan to post a detailed document answering these questions and the questions you asked in the email to our support team. It should be posted online before Monday.

In the meanwhile:
1) ACL on a Bucket and ACL on an object in that bucket are not related.
2) There is no concept of "folder" at Amazon S3. The folders that you see in Bucket Explorer are just files (objects) stores on Amazon S3 with a special name.

To restrict access in the example you have provided, I think the best way is to create 5 buckets and 5 CNAME entires for them. Also, if the 5 admins are using their own amazon.com accounts, it may be a better idea to create 5 "staging buckets" for them to work, and then "copy" (or move) the files in the target bucket using the new "copy" / "move" features of Bucket Explorer 2.0. This way, "you" will be the "owner" of the final files which are moved to production instead of making the other admins "owner" using their own IDs.

Another option is to use Bucket Explorer Team edition. We anticipate to start the beta next week.
saurabh
 
Posts: 60
Joined: Tue Aug 26, 2008 8:30 am
Top

Postby ispasic on Fri Jun 20, 2008 1:48 am

Thanks for a quick response,
I'll take your suggestions to the project team.
Though, creating staging environment will encourage an extra traffic and an extra overhead, but we have no much choice, we have to consider it.

Bucket Explorer Team Edition sounds interesting; I would like to evaulaute as soon as it becomes available.

Thanks again, Ivan
ispasic
 
Posts: 3
Joined: Thu Jun 19, 2008 12:21 am
Location: Australia
Top
Post a reply

Return to Bucket Explorer for Amazon S3 - Support Forum