Skip to main content

Amazon S3 Permissions

Hands-On Lab

 

Photo of Christophe Limpalair

Christophe Limpalair

VP of Growth in Marketing

Length

00:45:00

Difficulty

Beginner

S3 Security is one of the hottest topics in the Cloud-enabled world today. With several security breaches due to misconfigured S3 buckets, S3 security has become priority number one for many large businesses. Settings involving CORS, Bucket Policies, and IAM Policies are crucial to keeping your data safe and secure from prying eyes. In this learning activity, you will make changes to these settings to ensure a secure environment that adheres to security expectations. <p> Download the sample policy below to paste into the lab</p> https://github.com/BPalmerLA/LinuxAcademy.git

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Introduction

This lab demonstrates the use of various Amazon S3 permissions, including:

  • CORS Configuration
  • Bucket Policies
  • IAM Policies

Due to security concerns, the lab environment does not provide the capability to modify IAM users or policies.

This written guide focuses on the steps to complete the lab. For more details and descriptions, watch the accompanying video for this lab.

CORS Configuration

The video guide for this lab outlines a scenario that demonstrates how cross-domain requests are blocked in the browser, so it is recommended that you watch it.

Add a basic CORS Configuration for such a scenario:

  • Click the title of the bucket that has s3bucket1 in its name. Note: We have to use random names due to S3 constraints, so the S3 buckets will have random characters. Look for the string s3bucket1.
  • Navigate to the Properties tab.
  • Click the Static Website Hosting section and copy the bucket's Endpoint URL.
  • Click the title of the bucket hosting the resource (with s3bucket2 in its name) and view its Permissions.
  • Click the Add CORS Configuration button.
  • Copy the sample policy from the provided example and paste it into the text field.
  • Between the &lt;AllowedOrigin&gt; tags, delete the * and replace it with the Endpoint URL you copied. Paste and prepend http:// to it if it isn't already there. The line will resemble the following.
    &lt;AllowedOrigin&gt;http://your-endpoint-url.amazonaws.com&lt;/AllowedOrigin&gt;
  • Ensure that the &lt;AllowedMethod&gt; tag is set to allow GET. The rest of the defaults are fine.
  • Click the Save button and Close the configuration.

You are now able to make cross-domain requests in scripts hosted on the Endpoint URL without them being blocked by the browser. Watch the video guide for more information and instructions to test it out.

Bucket Policy

We will add an example bucket policy that allows a user to list a particular bucket (i.e. view the bucket in a listing). Due to the lab environment's limitations on IAM, we will grant this bucket policy to the account you are using for this lab. Notice that this policy is redundant: Our lab account already has access to list the buckets. It will, however, be useful to demonstrate the process of first using the AWS Policy Generator to create and configure policies, then applying them with the Bucket Policy Editor.

Before we begin, you will need to locate a couple of pieces of information. Find the following items and take note of them. I will reference each one later, and you should replace my reference to them with the information you found for your account.

  • Lab account number: In the top right of AWS, you will see cloud_user @ ... (the black navigation bar). Click it to expand more details. Take note of the account number. I will refer to this as &lt;account_number&gt; in just a moment. Make sure to remove the hyphens - when you use it momentarily.
  • Full bucket name: Locate the bucket name for the bucket with s3bucket1 in its name. I will refer to this as &lt;bucket_name&gt; in just a moment.

Once you have located these pieces of information, go to the Permissions of the bucket with s3bucket1 in its title, then click Bucket Policy. In the bottom left of this window, click the Policy Generator link. Configure it with these settings:

SettingSelection
Select Type of PolicyS3 Bucket Policy
EffectAllow
Principalarn:aws:iam::&lt;account_number&gt;:user/cloud_user
AWS ServiceAmazon S3
ActionsListBucket
Amazon Resource Name (ARN)arn:aws:s3:::&lt;bucket_name&gt;

Click Add Statement to add it to the policy, then click Generate Policy. You will be presented with a Policy JSON Document that you can copy and paste. Copy the text, go back to AWS, and paste it into the Bucket Policy Editor. Click the Save button on the editor to check the policy. If there are any errors, they will show in red. Once the errors have been fixed, the save button saves and applies the policy.

IAM Policies

Due to the IAM limitations in the lab environment, there is nothing to demonstrate for IAM policies. See the accompanying video for this lab for a discussion of the uses and differences of IAM Policies vs. Bucket Policies.