Using the cloudfront to read and write in the same S3 bucket, how can I prohibit a user from using a read-presigned url to make an injection (upluad)?
Thanks.
Deny access to PUT for cloudfront and it won't be able to put data into s3. In s3 permissions you can allow read only calls from cloudfront only. Turn off public access on s3, to make sure it will allow gets only from cloudfront. On CloudFront use this to update s3 bucket access, before this disable any public access on s3. CF will update S3's policy & create CF origin access identity:
To put data into S3, use presigned URL and it all goes down to the place where you create the presigned URL for upload. You may have api gateway RESTfull tiny api which would authenticate user to get the upload url and would return the upload url, which would be used by user to upload data to S3.
Related
I have an s3 bucket that users can access with a presigned url.
Due to some changes some users who are trying to access particular images will not be able to as their presigned url is invalid. I would like to respond to those requests with a particular image, essentially letting them know to update their application. Is their anyway i can achieve this? I cannot update their client directly so i need the change to be on the s3 or perhaps use cloudfront or something.
No, this is not possible.
If the pre-signed URL is invalid, they will receive a standard Access Denied message.
I want to generate a presigned URL for an S3 bucket, and upload files using the url, not through nuxeo server or the direct upload option.
The documentation, says, that I need to set the CloudFrontBinaryManager as the binary manager to be used. Despite, setting the configuration in nuxeo.conf, I am not able to upload directly to the bucket. I still see the request made to /upload, which routes the upload through the nuxeo server to the s3 bucket.
The downloads happen through the presigned url, but the upload doesn't. How can I make the upload work?
How can I attach an S3 bucket to an URL on my site. I tried but could not get it to work.
For instance my URL is:
mysite.com/media
And my S3 bucket should be linked directly to the above URL?
You're going to want to use CloudFront in front of S3. This will allow you to use your domain and serve content from S3.
Check out Using CloudFront with Amazon S3 for details on how to do it.
Is it possible to use filepicker to upload to S3, using a presigned S3 policy, without revealing my s3 secret key to filepicker.
From their current documentation found here - https://developers.filepicker.io/page/s3/, we need to provide them our s3 secret key.
I know s3 supports browser based uploads using POST, which we can sign using the policy. Is this something filepicker can leverage?
While it is technically possible, the Filepicker system does not work in this way. We require your S3 keys in order to upload to S3.
I currently serve files on S3 that are private. I would like to serve files via Cloudfront but I keep getting an AccessDenied error. I have tried multiple combinations
With and without Cloud front key pairs
With and without AWS access keys
But nothing works. Do the files on my S3 bucket need to be publicly readable and then I just restrict access to them via Cloudfront by setting bucket policies?
Thanks
Yes. There is no inherent connection between S3 and CloudFront. From the perspective of S3, CloudFront is just another "user" trying to access the content. Therefore, the S3 bucket has to give permission to CloudFront to access the content. Keep in mind that there is no way to set permissions on the CloudFront distribution so your content will be publicly available that way.