TechTip: Secure Access to S3 Folder

This is more a reminder to myself, so that I do not always have to struggle. Amazon S3 is probably the cheapest cloud storage service, that exists, and in these days of multi-tenant architecutures, provides a great way of accessing data from multiple instances.

However in some cases, you need to store files in S3 that are not viewable to anyone in the world, only to your app. I am hoping that this guide will help with that, and I will keep improving it with feedback and additional learning

The steps are as follows:

  1. Optional: Create an IAM group for users to help in user management
  2. Create an IAM user for each app environment with programmatic access to provide isolation from all other users who share the AWS account, I recommend creating separate users for dev, qa and production environment
  3. Generate access keys for each user which will be used to configure the app
  4. Create an access policy for each environment to restrict access to a bucket or a collection of buckets like below for restricting access to only the dev bucket
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "VisualEditor1",
          "Effect": "Allow",
          "Action": [
            "s3:ListBucket"
          ],
          "Resource": [
            "arn:aws:s3:::project-dev"
          ]
        },
        {
          "Sid": "VisualEditor0",
          "Effect": "Allow",
          "Action": "s3:*",
          "Resource": [
            "arn:aws:s3:::project-dev/*"
          ]
        }
      ]
    }
  5. Create S3 buckets with no public access, but with the names matching what is defined in the policies
  6. Test adding files to S3 using the credentials to confirm access (I tend to use the AWS cli with profiles for this case)
    
    

    aws s3 ls s3://project-dev –profile project-dev

UPDATE 1 – February 24, 2019: Added a poilicy for being able to read the bucket which is different from the bucket contents, see Sid: VisualEditor1.

2 responses to this post.

  1. Posted by JWL Oweira on February 17, 2020 at 13:36

    Thanks Veteran Musoke, for sharing this tip!

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: