{"id":24758,"date":"2018-09-25T19:51:17","date_gmt":"2018-09-25T15:51:17","guid":{"rendered":"https:\/\/www.msp360.com\/resources\/?p=24758"},"modified":"2024-01-05T14:13:35","modified_gmt":"2024-01-05T10:13:35","slug":"s3-access-control-tools","status":"publish","type":"post","link":"https:\/\/www.msp360.com\/resources\/blog\/s3-access-control-tools\/","title":{"rendered":"AWS Security In-Depth Part 1: ACLs vs Bucket Policies vs IAM"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">To use Amazon S3 effectively, you need to be aware of the security mechanisms provided by AWS to control your S3 resources. This is the first part in a three-part series on S3 security. In this part, we will discuss the three different access control tools provided by AWS to manage your S3 resources.<\/span><!--more--><\/p>\n<div class=\"table-of-content \">\n\t\t\t\t<p>Table of Contents<\/p>\n\t\t\t\t<ul><\/ul>\n\t\t\t\t<\/div>\n<h2>Background: Amazon S3 Access Control Tools<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-24926\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/AWS-S3-access-control-tools.png\" alt=\"AWS S3 access control tools\" width=\"800\" height=\"353\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/AWS-S3-access-control-tools.png 800w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/AWS-S3-access-control-tools-300x132.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/AWS-S3-access-control-tools-768x339.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/AWS-S3-access-control-tools-624x275.png 624w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">AWS has three different options for controlling access to your S3 buckets and objects. Each option is tailored for different circumstances. The three options are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/example-policies-s3.html\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">User Policies<\/span><\/a><span style=\"font-weight: 400;\">: Use the AWS IAM policy syntax to grant access to <a href=\"https:\/\/www.msp360.com\/resources\/blog\/backup-with-iam-users\/\">IAM users<\/a> in your account.<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/example-bucket-policies.html\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">Bucket Policies<\/span><\/a><span style=\"font-weight: 400;\">: Use the AWS IAM policy syntax to manage access for a particular S3 bucket;<\/span><\/li>\n<li style=\"font-weight: 400;\"><a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/S3_ACLs_UsingACLs.html\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">Access Control Lists (ACLs)<\/span><\/a><span style=\"font-weight: 400;\">: Use XML syntax to grant access to specific S3 buckets or objects.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">One useful distinction between the S3 access control types is whether they are attached to a <\/span><i><span style=\"font-weight: 400;\">user<\/span><\/i><span style=\"font-weight: 400;\"> or to a <\/span><i><span style=\"font-weight: 400;\">resource<\/span><\/i><span style=\"font-weight: 400;\">. User policies are attached to a particular IAM user to indicate whether that user can access various S3 buckets and objects. In contrast, bucket policies and ACLs are attached to the resource itself -- either an S3 bucket or an S3 object -- to control access.<\/span><\/p>\n<p><span style=\"color: #e38934;\"><strong>Everything about backing up to Amazon S3:<\/strong><\/span> <!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper hs-cta-deferred\" id=\"hs-cta-wrapper-42c87c0e-f902-4164-8c10-fbf20dd99fdb\" data-portal=\"5442029\" data-id=\"42c87c0e-f902-4164-8c10-fbf20dd99fdb\"><span class=\"hs-cta-node hs-cta-42c87c0e-f902-4164-8c10-fbf20dd99fdb\" id=\"hs-cta-42c87c0e-f902-4164-8c10-fbf20dd99fdb\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/5442029\/42c87c0e-f902-4164-8c10-fbf20dd99fdb\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-42c87c0e-f902-4164-8c10-fbf20dd99fdb\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/5442029\/42c87c0e-f902-4164-8c10-fbf20dd99fdb.png\" alt=\"CTA\"><\/a><\/span><\/span><!-- end HubSpot Call-to-Action Code --><\/p>\n<p><span style=\"font-weight: 400;\">In the sections that follow, we\u2019ll review each of the three types of access control methods and describe when you should use each one.<\/span><\/p>\n<h2><a name=\"IAM\"><\/a>Managing Access with IAM Policies<\/h2>\n<p><span style=\"font-weight: 400;\">The most common way to manage access to your S3 resources is via IAM policies. <\/span><a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/introduction.html\"><span style=\"font-weight: 400;\">IAM<\/span><\/a><span style=\"font-weight: 400;\"> is AWS\u2019s comprehensive tool for managing identity and access control across all of its services. IAM allows you to set fine-grained access rules on your S3 resources for a particular user, from the wide ability to read, write, and destroy all S3 resources to a narrow ability to read a single S3 object.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Generally, you should prefer using IAM policies to manage access to your S3 bucket. User policies fit naturally with the broader AWS access management ecosystem, so you can manage all of your access policies in a central place. The tooling and capabilities around IAM are mature and can be used to identify human users or AWS resources -- such as <a href=\"https:\/\/www.msp360.com\/resources\/blog\/ec2-instance-types\/\">EC2 instances<\/a> or Lambda functions -- that have access to your end resources.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">IAM user policies are written in JavaScript Object Notation (JSON) and have a consistent structure across all AWS services. An IAM user policy will look similar to the following:<\/span><\/p>\n<pre>{\r\n   \"Version\":\"2012-10-17\",\r\n   \"Statement\":[\r\n      {\r\n         \"Effect\":\"Allow\",\r\n         \"Action\":[\r\n            \"s3:GetObject\"\r\n         ],\r\n         \"Resource\":\"arn:aws:s3:::mybucket\/*\"\r\n      }\r\n   ]\r\n}\r\n<\/pre>\n<p><span style=\"font-weight: 400;\">This policy would allow any user that is associated with it to read any object (via the \u201cs3:GetObject\u201d action) in the S3 bucket called \u201cmybucket\u201d.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Parts 2 and 3 of this <a href=\"https:\/\/www.msp360.com\/resources\/blog\/amazon-s3-backup-security-guide\/\">Amazon S3 Security<\/a> series will take a deeper look at writing S3 user policies and managing IAM identities, including creating IAM policies with MSP360 Explorer.<\/span><\/p>\n<h2>Controlling Access with Bucket Policies<\/h2>\n<p><span style=\"font-weight: 400;\">The second mechanism of S3 access control is via bucket policies. Bucket policies are similar to IAM user policies. They\u2019re written in the same JSON syntax and can be used to provide granular permissions on S3 resources. The main difference from IAM user policies is that bucket policies are attached to an S3 resource directly rather than to an IAM user.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There are three occasions where you may want to use a bucket policy rather than a user policy. First, if the only AWS service you\u2019re using is S3, you may find it easier to manage permissions directly within S3 via bucket policies. This mostly comes down to personal preference. However, if you\u2019re doing more advanced AWS usage, I would recommend using IAM for all access control where possible for the reasons mentioned in the previous section -- the tooling is more mature, and it\u2019s a centralized place for all identity management. <\/span><\/p>\n<p><span style=\"font-weight: 400;\">The second occasion where you may want to use bucket policies is for allowing access from a different AWS account. While you can <\/span><a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/tutorial_cross-account-with-roles.html\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">delegate IAM permissions across AWS accounts<\/span><\/a><span style=\"font-weight: 400;\">, it can be complex. Bucket policies are slightly easier to allow access to a different AWS account or even a particular IAM user within a separate AWS account.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The final situation where you might need to use bucket policies is for when you want to allow access to S3 resources based on something other than AWS IAM identity. For example, you could limit S3 access to <\/span><a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/example-bucket-policies.html#example-bucket-policies-use-case-3\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">requests from particular IP addresses<\/span><\/a><span style=\"font-weight: 400;\">. You could also limit access to media assets in your S3 bucket to <\/span><a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/example-bucket-policies.html#example-bucket-policies-use-case-4\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">requests from a specific referrer<\/span><\/a><span style=\"font-weight: 400;\"> so as to only allow your website to display images and video.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">While bucket policies may be helpful in specific circumstances, it is best to use IAM user policies where possible. IAM user policies can do almost everything that S3 bucket policies can do, plus IAM provides a centralized location for all of your AWS access control. It can be difficult to debug unexpected user access when you are spread across both IAM user policies and S3 bucket policies.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Setting Bucket Policies with MSP360 Explorer<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">You can use <\/span><a href=\"https:\/\/www.msp360.com\/explorer\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">MSP360 Explorer<\/span><\/a><span style=\"font-weight: 400;\"> to easily manage your S3 bucket policies.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">First, when looking at your buckets in MSP360 Explorer, select the bucket to which you wish to add a bucket policy. Then, click the \u201cBucket Policy\u201d button in the toolbar, as shown below.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-24759\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image3-3.png\" alt=\"\u201cBucket Policy\u201d button\" width=\"1009\" height=\"635\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image3-3.png 1009w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image3-3-300x189.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image3-3-768x483.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image3-3-624x393.png 624w\" sizes=\"auto, (max-width: 1009px) 100vw, 1009px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">This will open a wizard to help you write a bucket policy. You can use the wizard to construct your policy by specifying which permissions you want to apply, the principal to whom they will apply, the resource to which they will apply, and the conditions that will apply. A completed statement will look as follows:<\/span><br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-24760\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image1-3.png\" alt=\"Statement\" width=\"1014\" height=\"672\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image1-3.png 1014w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image1-3-300x199.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image1-3-768x509.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image1-3-624x414.png 624w\" sizes=\"auto, (max-width: 1014px) 100vw, 1014px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">You can check the syntax that will be created from the wizard by clicking the \u201cShow Script\u201d button. It will display your bucket policy statement as follows.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-24761\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image4-3.png\" alt=\"\u201cShow Script\u201d button\" width=\"1014\" height=\"694\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image4-3.png 1014w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image4-3-300x205.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image4-3-768x526.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image4-3-624x427.png 624w\" sizes=\"auto, (max-width: 1014px) 100vw, 1014px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">For more on writing bucket policy statements, check out Part 2 of this series on Amazon S3 Security In-Depth. In that section, we do a deep dive on the syntax of writing IAM and bucket policies to provide access to your S3 resources.<\/span><\/p>\n<h2>Using ACLs for S3 Access Control<\/h2>\n<p><span style=\"font-weight: 400;\">The final mechanism to control S3 access is using access control lists (ACLs). ACLs are similar to bucket policies in that they are attached directly to an S3 resource, either a bucket or an object. ACLs are more of a legacy feature and generally should be avoided. IAM user policies and bucket policies should be used whenever possible.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">That said, there are a few situations where ACLs may be used to control S3 access. First, if you want to enable <\/span><a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/dev\/ServerLogs.html\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">Server Access Logging<\/span><\/a><span style=\"font-weight: 400;\"> on your S3 bucket, you will need to provide a bucket-level ACL that allows AWS\u2019s Log Delivery group to write to a particular S3 bucket.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">A second situation when you may want to use ACLs is if you want to provide cross-account access on an object-level basis, rather than on a bucket-level basis. As discussed in the previous section, it can be difficult to manage cross-account access via IAM policies. Bucket policies can assist with this but they can only be applied to a bucket. While it\u2019s possible to apply rules to prefixes within a bucket, it can still be difficult to provide the granular access control that you need. ACLs let you attach access control rules to S3 objects directly, giving you more flexibility.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">There is one final note about ACLs that often trips up users. Each ACL rule you create must include a \u201cGrantee\u201d that specifies to whom the ACL applies. The Grantee may be either a specific AWS account or one of three predefined groups of users provided by AWS. The three predefined groups are the \u201cLog Delivery group\u201d (used for the Server Access Logging described above), the \u201cAll Users\u201d group (indicating that the ACL applies to <\/span><i><span style=\"font-weight: 400;\">all<\/span><\/i><span style=\"font-weight: 400;\"> requests to the given S3 resource), and the \u201cAuthenticated Users\u201d group.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The \u201cAuthenticated Users\u201d group is a common source of confusion with ACLs. Many AWS users believe this means \u201cany authenticated IAM user within my AWS account.\u201d However, the group actually includes all users in <\/span><i><span style=\"font-weight: 400;\">any<\/span><\/i><span style=\"font-weight: 400;\"> AWS account. Essentially, this gives access to the given S3 resource for anyone that is making a signed, authenticated request for your S3 resource. There are very few reasons to use the \u201cAuthenticated Users\u201d group in ACL policies.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">Managing ACLs with MSP360 Explorer<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">You can use <\/span><a href=\"https:\/\/www.msp360.com\/explorer\/\" target=\"_blank\" rel=\"noopener noreferrer\"><span style=\"font-weight: 400;\">MSP360 Explorer<\/span><\/a><span style=\"font-weight: 400;\"> to set and update your ACLs on S3. Like bucket policies, ACLs can be attached to S3 buckets. Unlike bucket policies, ACLs can also be attached to individual S3 objects. In this section, you will learn how to use MSP360 Explorer to set ACLs on an S3 object. The experience is similar to set ACLs on an S3 bucket.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">First, navigate to the S3 object for which you wish to manage its ACL. After selecting it, right click and choose the \u201cACL Settings\u201d menu item as shown in the following image.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-24762\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image5-3.png\" alt=\"ACL Settings\" width=\"1013\" height=\"634\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image5-3.png 1013w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image5-3-300x188.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image5-3-768x481.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image5-3-624x391.png 624w\" sizes=\"auto, (max-width: 1013px) 100vw, 1013px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">This will open a wizard to manage your ACL policies for the S3 object. In setting an ACL, you need to think about two questions:<\/span><\/p>\n<ul>\n<li><strong>To whom<\/strong> you wish to grant permissions<\/li>\n<li><strong>Which<\/strong> permissions you wish to grant<\/li>\n<\/ul>\n<p>In choosing the Grantee (\u201cTo whom\u201d you will grant permissions), you can specify a particular AWS account, either by its root email address or by its account ID, or you can choose one of the predefined groups from AWS. Please read the preceding section on ACLs to know more about the predefined groups.<\/p>\n<p><span style=\"font-weight: 400;\">When choosing permissions, you can choose to provide read and write permissions on the object itself. You can also provide read and write permissions on the ACLs for the object. Finally, you can choose to give \u201cFull Control\u201d, which gives the ability for the Grantee to read and write both the object and the ACLs on the object.<\/span><\/p>\n<p>In the screenshot below, you can see how to set ACLs with MSP360 Explorer.<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-24763 size-full\" src=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image2-3.png\" alt=\"ACLs with MSP360 Explorer\" width=\"1010\" height=\"636\" srcset=\"https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image2-3.png 1010w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image2-3-300x189.png 300w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image2-3-768x484.png 768w, https:\/\/www.msp360.com\/resources\/wp-content\/uploads\/2018\/09\/image2-3-624x393.png 624w\" sizes=\"auto, (max-width: 1010px) 100vw, 1010px\" \/><\/p>\n<h2>Conclusion<\/h2>\n<p><span style=\"font-weight: 400;\">The S3 object storage service provided by Amazon Web Services is a rock-solid service that powers a huge portion of the internet. Introduced in 2006, S3 serves as the underlying technology for big data processing, media asset serving, and long-term archiving. However, the use of S3 to store large amounts of data and assets means that owners need to be careful to avoid data leakage or extravagant bills.<\/span><\/p>\n<p><span style=\"font-weight: 400;\"><a href=\"https:\/\/www.msp360.com\/resources\/blog\/amazon-s3-backup-security-guide\/\">S3 security<\/a> is a difficult area as evidenced by the frequency of S3 data breaches by major companies and tech consultancies. In this article, we reviewed the three different mechanisms that AWS provides for S3 access control. In general, you should prefer using IAM user policies whenever possible, falling back to bucket policies and ACLs only when IAM user policies do not meet your specific needs.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In part 2 of this series, we\u2019ll take a deeper look at writing IAM user policies to control access to S3 resources.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>To use Amazon S3 effectively, you need to be aware of the security mechanisms provided by AWS to control your S3 resources. This is the first part in a three-part series on S3 security. In this part, we will discuss the three different access control tools provided by AWS to manage your S3 resources.<\/p>\n","protected":false},"author":67,"featured_media":26036,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[877,885],"tags":[],"class_list":["post-24758","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-articles","category-other"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/24758","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/users\/67"}],"replies":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/comments?post=24758"}],"version-history":[{"count":2,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/24758\/revisions"}],"predecessor-version":[{"id":57238,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/posts\/24758\/revisions\/57238"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media\/26036"}],"wp:attachment":[{"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/media?parent=24758"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/categories?post=24758"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.msp360.com\/resources\/wp-json\/wp\/v2\/tags?post=24758"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}