How do I determine the path to AWS Buckets - amazon-web-services

I am new to AWS. I have a website and I would like to host my larger images on AWS. I have successfully created a bucket and can access that bucket via FTP but I do not know how to determine the URL for the contents of that bucket so I can reference the images on my website.
I have tried: https://bucketname.s3.amazonaws.com/imagename.jpg
and I have tried https://s3.amazonaws.com/bucketname/imagename.jpg
But I get errors on both.
What is the correct path?
Thank you.

Click on the bucket. Go to properties, scroll to the bottom, under 'static website hosting', click edit then enable.
Once saved, you will be provided with a 'bucket website endpoint' (i.e. a url to access your files).
Under the 'permissions' tab, you may also need to allow public access to the objects in the bucket by adding a bucket policy like this:
{
"Version": "2012-10-17",
"Id": "Policy1517754859350",
"Statement": [
{
"Sid": "AllowGetObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::YOUR-BUCKET-NAME-HERE/*"
}
]
}

AWS S3 objects can be accessed at https://{bucket}.s3.amazonaws.com/{key}.
You should have seen an error message in the webpage.
But before that, make sure that the object in the bucket is public. Go to the bucket, change the object to make it public.
But best option is to create a CloudFront distribution. Otherwise accessing S3 bucket directly is costly.

In addition to the other two answers posted, which helped move me in the right direction I was able to get more insights and discovered that the easiest way to provide read-only access to bucket assets is to set an ACL that is domain specific so that only requests that come from the designated URL will have read access to the contents of the bucket:
{
"Version": "2012-10-17",
"Id": "http referer policy",
"Statement": [
{
"Sid": "Allow get requests originating from www.example.com and example.com.",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectVersion"
],
"Resource": "arn:aws:s3:::bucketname/*",
"Condition": {
"StringLike": {
"aws:Referer": "https://example.com/*"
}
}
}
]
}
The URL or path to the resources is provided in the Control Panel when you add objects to the bucket and is listed as the
Object URL
.

Related

Mapping multiple S3 buckets to the same URL using AWS CloudFront - Access Denied error on non-default path patterns

How can I map two different S3 buckets to the same URL using AWS CloudFront?
I have created two origins; one origin with path /preview of one bucket and another with the path /harry for another bucket. In the behaviors section, I have set the Default behavior to use the /preview origin and a separate behavior with the /harry/* path pattern that uses the /epub origin. However, only the Default behavior is working and the /harry/* pattern returns an "Access Denied" error.
URL example:
https://xxxx.cloudfront.net/harry/example.xhtml = Access Denied
https://xxxx.cloudfront.net/image.png = Works fine
Cloud front configuration:
Origins: https://postimg.cc/N9MQh5dQ
Behaviors: https://postimg.cc/KkKCrL93
Preview Origin policy
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3HIYxxxx"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::xxxxxstorage/preview/*"
}
]
}
harry origin policy
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3HIYxxxx"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::xxxxxdevelopment/harry/*"
}
]
}
The issue with this configuration is that only the Default behavior is working, regardless of the associated origin. Is there something that I am missing or not properly configured in this setup?
I aim to do the same thing that you are trying to do, but am still in the research phase.
It seems you need a folder inside the alternative bucket with a name which matches the trailing portion of the bucket Origin Domain Name.
There is an brief post on this topic from 2015: https://stackoverflow.com/a/32002341
As well as an excellent blog post and YouTube video: https://vimalpaliwal.com/blog/2018/10/10f435c29f/serving-multiple-s3-buckets-via-single-aws-cloudfront-distribution.html
This is the approach that I will take as I move forward.

Cannot access S3 object even though all indications are that I should including policy simulator. Why?

I can use this policy to upload files to my bucket from user A, in group Z. A different user in group B also is in group Z and therefore has the same policy. However, I cannot read the file when logged in as B to the AWS management console. I'm especially mystified because according to the Policy Simulator, this policy (plus the Admin access user B has) should fully enable B to see the file in question.
Instead, user B only gets Access Denied.
Help? I feel like I'm missing something very simple here.
My complete (if redacted) group policy is:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::my-bucket"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
]
}
]
}
My auto-generated bucket policy is:
{
"Version": "2012-10-17",
"Id": "S3-Console-Auto-Gen-Policy-1645709424074",
"Statement": [
{
"Sid": "S3PolicyStmt-DO-NOT-MODIFY-1645709423946",
"Effect": "Allow",
"Principal": {
"Service": "logging.s3.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
My bucket has Block Public Access turned on.
The problem here is that even though you are logged into the AWS console, your authentication does not extend to downloading an S3 object via a simple HTTP GET of the object at https://mybucket.s3.region.amazonaws.com/myfile.png, as would happen if you pasted that URL into a new tab.
Instead, you can generate and use an S3 pre-signed URL to download the object. A pre-signed URL is time-limited and is signed with your secret key so it includes all the auth needed to download the object.
You can use the S3 console, awscli, or any AWS SDK to generate a pre-signed S3 URL, for example:
aws s3 presign s3://mybucket/myfile.png
Note that pre-signed URLs behave somewhat like a bearer token. Whoever has the pre-signed URL can use it to download the object, until it expires.
You can also download individual objects, or even entire buckets of objects, using the awscli (with appropriate authentication).

AWS CloudFront is Downloading files when multiple websites are hosted in the same bucket

I have an s3 bucket myBucket with two websites in it. First website is at root and the second one is in the folder abc. A CloudFront distribution has been configured on myBucket and its working successfully since an year. Here is the cloudfront access identity policy on the bucket.
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::myBucket",
"arn:aws:s3:::myBucket/*"
]
}
]
}
Since the cloudfront identity has access to all the bucket its successfully serving the pages from the bucket folder myBucket/abc when accessed through https://myexample.com/abc/index.html but when refreshed its downloading a blank file with the name download. These two websites are linked and hence needed to keep them in the same bucket. Is there anyway how i can get rid of this download ? Also should i have to create another origin and the corresponding behavior to do this right ?

Remove AWS S3 bucket having Read by Everyone permission through Bucket policy

Suppose I have an S3 bucket that has "Everyone Read" permission. Bucket is not public. Means anyone can access objects by typing its url in the browser. Now I want to remove this access from URL thing in browser. One option is to go to each images and remove "Read" from "Everyone" section. But since there are huge amount of images so this is not feasible.
So can I put such bucket policy which allows access only from one IAM user and not from browser thing? I tried adding such bucket policy that allow access to all resources for only specific user but still images are accessible from browsing through URL. Any thoughts?
Edit: Adding policy that I tried
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::test-bucket-public-issue",
"Principal": {
"AWS": [
"arn:aws:iam::AccounId:user/Username"
]
}
}
]
}
Ok #Himanshu Mohan I will explain you what i have done. I have created a S3 bucket and then i added the below bucket policy
{
"Version": "2012-10-17",
"Id": "Policy1534419239074",
"Statement": [
{
"Sid": "Stmt1534419237657",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::xxx-xxx-test/*"
}
]
}
While adding this policy the bucket will automatically public
Then i have uploaded an image as what you referred and i was able to access the same image via browser.
Now I changed the policy back to as what you said
Now i was not able to access the image, will show the access denied xml response. The only difference i see is i have added the /* after the bucket name "Resource": "arn:aws:s3:::xxx-xxx-test/*".

Amazon s3 – 403 Forbidden with Correct Bucket Policy

I'm trying to make all of the images I've stored in my s3 bucket publicly readable, using the following bucket policy.
{
"Id": "Policy1380877762691",
"Statement": [
{
"Sid": "Stmt1380877761162",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
I have 4 other similar s3 buckets with the same bucket policy, but I keep getting 403 errors.
The images in this bucket were transferred using s3cmd sync as I'm trying to migrate the contents of the bucket to a new account.
The only difference that I can see is that
i'm using an IAM user with admin access, instead of the root user
the files dont have a
"grantee : everyone open/download file" permission on each of the
files, something the files had in the old bucket
If you want everyone to access your S3 objects in the bucket, the principal should be "*", i.e., like this:
{
"Id": "Policy1380877762691",
"Statement": [
{
"Sid": "Stmt1380877761162",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::<bucket-name>/*",
"Principal": "*"
}
}
]
}
Source: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Principal
I've managed to solve it by running the s3cmd command again but adding --acl-public to the end of it. Seems to have fixed my issue
I Know this is an old question, but for whoever is having this issue and working from the AWS Console. Go to the bucket in AWS S3 console:
Open the permissions tab.
Open Public Access settings.
Click edit
Then in the editing page :
Uncheck Block new public bucket policies (Recommended)
Uncheck Block public and cross-account access if bucket has public policies (Recommended)
Click save
CAUTION
PLEASE NOTE THAT THIS WILL MAKE YOUR BUCKET ACCESSIBLE BY ANYONE ON THE INTERNET, EVENT IF THEY DO NOT HAVE AN AWS ACCOUNT, THEY STILL CAN ACCESS THE BUCKET AND THE BUCKET'S CONTENTS. PLEASE HANDLE WITH CAUTION!
From AWS Documentation
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AddPerm",
"Effect":"Allow",
"Principal": "*",
"Action":["s3:GetObject"],
"Resource":["arn:aws:s3:::examplebucket/*"]
}
]
}
Not sure if the order or attributes matter here. I would give this one a try.