Security Models

All editions of Yarkon support two security models: Shared, and Integrated.

It is recommended that you start using Yarkon with the Shared Security Model, as it is much simpler to get up and running. You can later migrate to the more complex Integrated Security Model, which requires a deeper understanding of the AWS IAM system.

You can always change the security model using the Yarkon Admin Console Administrator settings:

Shared Security Model

When using the Shared Security Model, all users have the same access permissions, as defined by the permissions given to the Yarkon Admin Console through the AMI AWS Role (when using the Enterprise Edition or Team Edition) or the AWS API credentials (when using the Cloud Edition).

This security model is simple and easy to set up, as it does not require creating any users in IAM. Users can be added and removed through the Yarkon Admin Console without any need to use the AWS IAM service. It is sufficient for any organization that has a “flat” access model, meaning that all users can access the same files. For instance, this is common for organizations where S3 is used for storing documentation that is accessible to all employees without restrictions, such as company policies, user manuals, etc.

If you need to specify access per user, with different users having access to different buckets, you must use the Integrated Security Model instead.

To learn how to add users to Yarkon, check out the document Adding the users to Yarkon and verifying that the proper permissions are set.

Integrated Security Model

In the Integrated Security Model, Yarkon takes it permissions from IAM and ensures that users only get access to the bucket that they are allowed to access. This is the approach preferred by most enterprise clients, as it allows to manage user permissions in one place and ensure that different users get the appropriate permissions.

In case you want to use the Integrated Security Model, you need to have your organization set up in IAM. An example of such an organization is provided here: Setting up the users in AWS and granting them permissions to access buckets using Groups and Policies.

Once the permissions are properly set in AWS IAM, all that it takes is to integrate the users in Yarkon with their respective AWS IAM users. Check out the document Adding the users to Yarkon and verifying that the proper permissions are set for the complete details.