I have an aws s3 bucket and want to share and sync data with my team and some other individuals (and later access this data in the cloud). This is easy with the aws cli (aws s3 sync ...), but since we are now in the situation where multiple other individuals from outside are involved, they don't have an aws-account.
What is the preferred strategy here? Is there a way to get something like a read/write access-token, which then could get passed to the aws-cli?
You probably want to setup IAM users and give the access either though a bucket policy or on the user level.
With bucket policies you can easily define what paths users are able to edit and access.
When you create an IAM user you also have the option of creating one for Programmatic(CLI) access only which will give you a set of credentials for that user only. Just use aws configure and set the access and token key.
You also probably want to make sure you are using an IAM user yourself as it's generally recommended for security.
Related
I am having a hard time understanding Azure docs and terminologies. The problem is this. My customer has an azure bucket and we need to read/write to this bucket. They won't be sharing their storage account credentials either.
This can be achieved in AWS by following this:
https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
I have just created an IAM user and asked my customers to allow the necessary permissions in the bucket policy. Thus, with one IAM user and one set of credentials, I can write to multiple buckets belonging to multiple AWS accounts.
Is something like above also possible in Azure?
they can create a Shared access signature while they can control what kind of access you need to have and also when to expire.
Is it possible to give different access to different buckets in s3? In detail, I have 10 different buckets in s3 and each of those bucket related to different people. So I want to give them access only to their particular bucket(by sharing a URL or something like that)
Is this possible?
The normal way to assign access is:
Permanent credentials (eg associate with an IAM User) are only provided to internal IT staff who are managing or using the AWS services.
End users of a web application should be authenticated by the application (eg using Amazon Cognito, LDAP, AD, Google). The application will then be responsible for generating Pre-Signed URLs for uploading and downloading files.
For mobile applications, it is quite common to create temporary credentials using the Security Token Service, which allows the mobile app to directly make AWS API calls. The credentials can be given limited permissions, such as only being able to access one S3 bucket.
So, it really comes down to 'how' the users will be accessing the bucket. If they are doing it directly, then provide temporary credentials via STS. If they are doing it via an application, then the application will be responsible for providing individual access to upload/download.
By the way, it's not necessarily a good idea to give a different bucket to every user, because there is a limit on the number of buckets you can create. Instead, you could give access to separate paths within the same bucket. Proper use of permissions will ensure they cannot see/impact other users' data.
For how this works with IAM Users, see: Variables in AWS Access Control Policies | AWS News Blog
Is it possible to access an S3 bucket from another account using the access key ID and secret access key?
I know that the keys are typically for API/CLI access, but I was wondering if I could use it from my account using those two alone.
A workaround would be to run a CLI on AWS and repeatedly sync two folders.
Edit: If I don't have access to the original account, how would I proceed then?
I have the keys, and want to add it to a second account - but cant make any changes to the first
Is it possible to access an S3 bucket from another account using the access key ID and secret access key?
Yes, if it is configured. Access to S3 is S3 bucket is determined by who you are, your IAM policy, what action you need to and what is the bucket configuration is(policy, permissions, block public access, ...).
You can read the documentation to see what are the different factors affecting the access for a certain request: https://docs.aws.amazon.com/AmazonS3/latest/userguide/how-s3-evaluates-access-control.html
To configure cross account access, you have three choices:
Configure bucket policy that allows certain or all API actions from another account or principals in that account. This is very flexible and allows almost all S3 bucket actions while staying secure.
Configure ACL policy that allows another account. This is for before bucket policy existed, however it may be simpler to use in some cases
Configure cross account IAM roles. This is basically providing permissions to another AWS account. This is the most flexible than the other options as it can include any action.
The above 3 ways are documented here: https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/
Now while in the document using policy is for programmatic access only, as of right now you can also use it in the console, although this is not a documented feature. If you have access via bucket policy, you can simply open the bucket in the console by typing the bucket name in the URL(replace BUCKET-NAME with your bucket name): https://s3.console.aws.amazon.com/s3/buckets/BUCKET-NAME
Another question would be how to access the console if you only have a IAM access key id and secret. To access the console your IAM user needs a password and you can't use the IAM user without it, however if you enough permissions you can set a password for yourself. Another thing you can is that if there's a IAM role you can assume into(if you have enough permissions you can create your own), then you can simply use a tool that can generate a console link using federation API. Here's a few I'm aware of:
https://github.com/trek10inc/awsume-console-plugin
https://github.com/jnawk/aws-electron
https://github.com/NetSPI/aws_consoler
The short answer is "yes it is possible".
As of "how?" there are numerous options. You can use boto3 or the aws sdk in the language of your choice, running it in a lambda, EC2 or ECS container, etc.
You could even go as far as implementing yourself SigV4 to sign your requests (that's what the AWS SDK does internally).
We have an app similar to Dropbox where we store user's files in S3. The only way for the user to do so is via the app (similar to dropbox).
Due to valid privacy concerns, we want to restrict the access of that S3 bucket so the contents of the bucket can only be access from via the app - for which we've created the API token and use that to access the contents.
We don't even want the root account to be able to traverse the contents of that specific S3 bucket.
However, in the event that some administrative intervention is needed, we want to be able to grant a specific user account the ability to physically traverse into the S3 bucket and do whatever is required at that point of time. Once said administrative task is completed, the access should be revoked.
Have you folks encountered this kind of scenario? How would one go about implementing something like this?
Thanks for your thoughts
The root credentials associated with an AWS account has full permissions. And even if they don't, they have the ability to remove blocking permissions. Companies typically secure their root login by adding a multi-factor authentication (MFA) device and locking it in a safe.
You can easily write a Bucket Policy that denies all access except to a specific IAM User, and your application can either use that IAM User to either:
Download content and then serve it directly to clients, or
Create pre-signed URLs that grant time-limited access to private objects in Amazon S3, then provide those URLs to clients so that they can download the object from Amazon S3
Temporary access can be granted by modifying the Bucket Policy. You should, of course, restrict the ability for your normal users to modify Bucket Policies.
For this extra-sensitive information, you should probably create a separate AWS Account. That way, only a select few people would have any access to that account, which prevents accidentally granting access. For example, if a Systems Administrator is granted access to all S3 buckets in Account A, they would have no access to buckets in Account B.
I want to make a Video On Demand service using AWS S3 , and I would like to restrict each of my clients to his own bucket/folder (which one schema is best..) .
I want a client to have access only to his bucket/folder, but these people are not going to have an AWS account.
I read ,and still reading, about IAM users,roles and policies but I have not found something pointing to what I want to achieve.
If you know the IP address (or CIDR blocks) of each client, you can then restrict your bucket with a policy.
http://blogs.aws.amazon.com/security/post/TxPOJBY6FE360K/IAM-policies-and-Bucket-Policies-and-ACLs-Oh-My-Controlling-Access-to-S3-Resourc
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
Alternatively, you could just set up IAM accounts for them within your own account, and scope their access accordingly. That would let them use a very limited form of the AWS Console. You can even write your IAM policies so that users automatically have access to something like:
s3://your-bucket/%username%/