Is it possible to use presigned urls to upload files directly to AWS S3 bucket with KMS encryption?
Looks like it's not possible, but maybe I missed something.
Related
A little bit of context, we would like to use AWS SSE-KMS on our S3 bucket to encrypt our plaintext object uploads. I'm planning to only allow these permissions to an IAM role only used by our ec2 instances
kms:GenerateDataKey
kms:Decrypt
What would normal users using our AWS account see when downloading objects from our bucket? Would the objects be encrypted since they don't have KMS permissions? Are they able to download these objects at all?
Thanks
Please explain who will request KMS Keys when we upload object to S3.Is it uploader or S3 itself ?
If S3 have to deal with the KMS it has to assume a role.
Or is S3 mention the uploader in the API request ?
Binance made its data public through an s3 endpoint. The website is 'https://data.binance.vision/?prefix=data/'. Their bucket URL is 'https://s3-ap-northeast-1.amazonaws.com/data.binance.vision'. I want to download all the files in their bucket to my own s3 bucket. I can:
crawl this website and download the CSV files.
make a URL builder that builds all the URLs and downloads the CSV files using those URLs.
Since their data is stored on s3. I wonder if there is a cleaner way to sync their bucket to my bucket.
Is the third way really doable?
If you want to copy it to your own s3 bucket, you can do:
aws s3 sync s3://data.binance.vision s3://your-bucket-name --no-sign-request
If you want to copy it to your own computer into your current folder (.) you can do:
aws s3 sync s3://data.binance.vision . --no-sign-request
I have two AWS accounts. Each account has an S3 bucket and CloudFront which exposes the contents of the S3 bucket.
I would like to get rid of a CORS issue.
For that I I need to serve all content using one CloudFront.
How I can grant permissions to the S3 bucket from account2 to CloudFront in account1?
This is possible if the bucket is publicly accessible , the bucket won't come in the drop down when you're creating origin but you can use the name as bucket.s3.region.amazonaws.com.
It is also possible using origin access identity. Use first your own bucket to create the bucket policy automatically by CloudFront, you should be able to see IAM identity in CloudTrail, you can copy the same policy on the other account S3 bucket and OAI should work.
I get a pre-signed AWS s3 url to upload documents. How do I upload a file to this pre-signed url? Do I need to create a bucket (I don't know what a bucket is)? Do I need credentials for S3 to upload a document using a pre-signed url?
You can upload a file to an S3 pre-signed URL using curl:
curl -T dog.png "<pre-signed url here>"
Yes, the bucket needs to exist in advance.
No, you don't need additional credentials.