I have a website where the users can upload files like images or pdfs, and I'm storing them in AWS S3. It's working correctly, but I put a "public policy" to test it like this one:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
It works but I think that a malicius user could make a lot of requests and amazon charge me for that. So what would be the way to limit the access but keep working correctly with my webapp?
Thanks in advance.
You could create a time-limited Amazon S3 pre-signed URL for those objects. This grants access to a private object for a limited time.
You can Restrict Access to Specific HTTP Referrer by modifying your bucket policy like this.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.com/*"
]
}
}
}
]
}
Replace example.com with your website name.This allows the objects can be only accessed from domain staring with your domain name. Make sure the browsers you use include the http referer header in the request . For more details see Restricting Access to a Specific HTTP Referrer
Related
Requirement:
We're using AWS CloudFront with S3 bucket for my client to save the tutorial/course videos, hence we would like to prevent the users to download any video with the links either S3 Object link or CloudFront domain url. In other words only with our website these will be readable / accessible or users can only be able to watch them. Therefore, we're trying to restrict the access through direct links.
Tried solution:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "S3PublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:GetObject",
"s3:GetObjectTagging",
"s3:PutObject",
"s3:PutObjectTagging"
],
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"https://dev.mycompany.com/",
"https://mycompany.com/"
]
}
}
},
{
"Sid": "CloudFrontPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity AAAAAAAAAAA"
},
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::DOC-EXAMPLE-BUCKET",
"arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"https://dev.mycompany.com/",
"https://mycompany.com/"
]
}
}
}
]
}
Problem:
The above policy is working fine with the S3 object urls, like If I open it through the link it is showing Access Denied and within my website the videos are playing fine.
However, the video links with CloudFront Domain, not accessible even within the website. We need the same behavior as with the S3 direct URLs.
Conclusion:
The aws:Referer condition is working fine with s3 object urls but not applying on the CloudFront url, hence making them unaccessible.
Hopefully, I'm able to state the problem as it is occurring.
Thanks in advance.
More Info:
Cloudfront Distribution Behavior Details:
Listing
Details of the second entry (Default)
I am creating an Electron.js app and I am using S3 to host the new releases of my app. I can't leave the S3 bucket open to the public and need to limit it only to the users in the company where the app will be used. Therefore, I decided to limit access to the bucket by the company's IP address. However, when Electron-updater checks for an update, I get the Error: HttpError: 403 Forbidden. This is the bucket policy I am using:
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "Company's IP Address"
}
}
}
]
}
When Electron-Updater checks to see if there is a new update, I get the Error: HttpError: 403 Forbidden. It shouldn't be, because the request is coming from the IP of the company. I am wondering if maybe for some reason the request is coming from a different IP. I tried to use the S3 access logs (I have never used them), but nothing gets saved in the bucket I create to store those logs. I am at a loss as to what the problem is.
If I understood the Question, you want Allow Only from Specific IP's.
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKETNAME",
"arn:aws:s3:::BUCKETNAME/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"CIDR",
"CIDR"
]
}
}
}
]
}
I want to use condition of StringLike aws:Referer for a particular folder and make rest of the folder publicly accessible.
Here is my bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": [
"arn:aws:s3:::bucketName/folderName/*"
]
},
{
"Sid": "",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketName/folderName/users/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://example.com/*"
]
}
}
}
]
}
When I am using above policy, it is not working with first one.
Try with below policy:
{
"Sid": "",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucketName/folderName/users/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://example.com/*"
]
}
}
}
The first part of your policy is granting GetObject access for anything in the folderName path of your bucket. This includes folderName/users/*.
Therefore, the second part of your policy is not being used (since the first policy is already granting access to the folderName/users/* path.
You could solve it by using different buckets, or you could convert the second policy into a Deny with StringNotLike (effectively saying that access is denied to folderName/users/* if the referer is not example.com.
Frankly, your policy looks strange because it is granting access to the entire users path hierarchy, which probably isn't what you'd want it to do. (I'm assuming you'd want to grant access only to a particular user's data based upon who is accessing your application.)
Please note that referer is not secure — it is easy to fake this value in a browser and in web-scraping softare.
I created a bucket which host some web small web page and a few docs which should only be read accessible by users which have a certain login in IAM. These users should only have (read) access to this specific bucket and no other bucket. Ideally these users shouldn't even know that there are other buckets out there.
For this I create a "test" user in IAM, added the user to a group and assigned a group policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowS3GetActionsInPrivateFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my.web.page/*"
]
}
]
}
When I login with the test user and navigate to S3 I can see all my other buckets and when I click on another bucket I get a "Sorry, no permission" error. This kinda works but ideally the user shouldn't even be able to even list any other buckets.
When I go to https://s3.amazonaws.com/my.web.page/index.html I get a AccessDenied XML message. How can should I modify the policy to be able to open a html page in this bucket with a browser.
The user still has write access to the bucket. How can I only grant read access?
Your help is much appreciated.
Use this policy it will work. Where it says example bucket put you bucket name
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGroupToSeeBucketListAndAlsoAllowGetBucketLocationRequiredForListBucket",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::examplebucket/*"
]
},
{
"Sid": "AllowS3GetActionsInPrivateFolder",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my.web.page/*"
]
}
]
}
I've got images on S3 that I'd like to share with my Rails app. I can get access to the images by setting the permission: Everybody - Open/Download on the S3 UI. I want to set this permission for all objects in the bucket. The bucket permission UI doesn't have the option of Open/Download for users. What is the action I need to assign in the bucket config command to allow this? Here is my current command:
{
"Version": "2008-10-17",
"Id": "anid",
"Statement": [
{
"Sid": "ansid",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::haggard/akey"
}
]
}
Your policy is probably wrong, this one is working fine for Everyone (Anonymous) users:
{
"Id": "Policy1416915063227",
"Statement": [
{
"Sid": "AddCannedAcl",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::examplebucket/*",
"Principal": {
"AWS": [
"*"
]
}
}
]
}
I recommend to use the policy generator at the following link:
http://awspolicygen.s3.amazonaws.com/policygen.html