This is more a reminder to myself, so that I do not always have to struggle. Amazon S3 is probably the cheapest cloud storage service, that exists, and in these days of multi-tenant architecutures, provides a great way of accessing data from multiple instances.
However in some cases, you need to store files in S3 that are not viewable to anyone in the world, only to your app. I am hoping that this guide will help with that, and I will keep improving it with feedback and additional learning
The steps are as follows:
- Optional: Create an IAM group for users to help in user management
- Create an IAM user for each app environment with programmatic access to provide isolation from all other users who share the AWS account, I recommend creating separate users for dev, qa and production environment
- Generate access keys for each user which will be used to configure the app
- Create an access policy for each environment to restrict access to a bucket or a collection of buckets like below for restricting access to only the dev bucket
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::project-dev" ] }, { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::project-dev/*" ] } ] }
- Create S3 buckets with no public access, but with the names matching what is defined in the policies
- Test adding files to S3 using the credentials to confirm access (I tend to use the AWS cli with profiles for this case)
aws s3 ls s3://project-dev –profile project-dev
UPDATE 1 – February 24, 2019: Added a poilicy for being able to read the bucket which is different from the bucket contents, see Sid: VisualEditor1.
You replied to this comment.
Happy to share, the lessons as I learn them so that others can start from there