Amazon S3 Permissions
VP of Growth in Marketing
S3 Security is one of the hottest topics in the Cloud-enabled world today. With several security breaches due to misconfigured S3 buckets, S3 security has become priority number one for many large businesses. Settings involving CORS, Bucket Policies, and IAM Policies are crucial to keeping your data safe and secure from prying eyes. In this learning activity, you will make changes to these settings to ensure a secure environment that adheres to security expectations. <p> Download the sample policy below to paste into the lab</p> https://github.com/BPalmerLA/LinuxAcademy.git
This lab demonstrates the use of various Amazon S3 permissions, including:
- CORS Configuration
- Bucket Policies
- IAM Policies
Due to security concerns, the lab environment does not provide the capability to modify IAM users or policies.
This written guide focuses on the steps to complete the lab. For more details and descriptions, watch the accompanying video for this lab.
The video guide for this lab outlines a scenario that demonstrates how cross-domain requests are blocked in the browser, so it is recommended that you watch it.
Add a basic CORS Configuration for such a scenario:
- Click the title of the bucket that has
s3bucket1in its name. Note: We have to use random names due to S3 constraints, so the S3 buckets will have random characters. Look for the string
- Navigate to the Properties tab.
- Click the Static Website Hosting section and copy the bucket's Endpoint URL.
- Click the title of the bucket hosting the resource (with
s3bucket2in its name) and view its Permissions.
- Click the Add CORS Configuration button.
- Copy the sample policy from the provided example and paste it into the text field.
- Between the
<AllowedOrigin>tags, delete the
*and replace it with the Endpoint URL you copied. Paste and prepend
http://to it if it isn't already there. The line will resemble the following.
- Ensure that the
<AllowedMethod>tag is set to allow
GET. The rest of the defaults are fine.
- Click the Save button and Close the configuration.
You are now able to make cross-domain requests in scripts hosted on the Endpoint URL without them being blocked by the browser. Watch the video guide for more information and instructions to test it out.
We will add an example bucket policy that allows a user to list a particular bucket (i.e. view the bucket in a listing). Due to the lab environment's limitations on IAM, we will grant this bucket policy to the account you are using for this lab. Notice that this policy is redundant: Our lab account already has access to list the buckets. It will, however, be useful to demonstrate the process of first using the AWS Policy Generator to create and configure policies, then applying them with the Bucket Policy Editor.
Before we begin, you will need to locate a couple of pieces of information. Find the following items and take note of them. I will reference each one later, and you should replace my reference to them with the information you found for your account.
- Lab account number: In the top right of AWS, you will see
cloud_user @ ...(the black navigation bar). Click it to expand more details. Take note of the account number. I will refer to this as
<account_number>in just a moment. Make sure to remove the hyphens
-when you use it momentarily.
- Full bucket name: Locate the bucket name for the bucket with
s3bucket1in its name. I will refer to this as
<bucket_name>in just a moment.
Once you have located these pieces of information, go to the Permissions of the bucket with
s3bucket1 in its title, then click Bucket Policy. In the bottom left of this window, click the Policy Generator link. Configure it with these settings:
|Select Type of Policy||S3 Bucket Policy|
|AWS Service||Amazon S3|
|Amazon Resource Name (ARN)|
Click Add Statement to add it to the policy, then click Generate Policy. You will be presented with a Policy JSON Document that you can copy and paste. Copy the text, go back to AWS, and paste it into the Bucket Policy Editor. Click the Save button on the editor to check the policy. If there are any errors, they will show in red. Once the errors have been fixed, the save button saves and applies the policy.
Due to the IAM limitations in the lab environment, there is nothing to demonstrate for IAM policies. See the accompanying video for this lab for a discussion of the uses and differences of IAM Policies vs. Bucket Policies.