We are using AWS S3 buckets to store files. Public URL is generated to share with clients. We want to block TLS 1.0 for the bucket. Please advise.
Related
Is it possible to restrict an Amazon S3 website endpoint to CloudFront only? I see this is possible for S3 rest endpoints but was wondering if there were any new workarounds to do this for S3 website endpoints.
For website endpoint you can use bucket policy to allow only CloudFront IP address, not restrictive as OAI but still a way.
http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
For S3 as an origin, CLOUDFRONT_REGIONAL_EDGE_IP_LIST IP address are not used unless you're using lambda#edge or AWS has enabled it intentionally so you can allow only CLOUDFRONT_GLOBAL_IP_LIST.
I want to have my own private hosted object storage with S3 compatibility.
Now I found minio as a solution. My question is: If I have an application A that is able to connect to amazon S3 storage does that imply that I could also connect to minio?
More specifically if minio created a presigned URL is application A (capable of amazon S3) also able to use the presigned URL?
Yes, minio is compatible with AWS S3. You can have your application that is currently connecting to AWS S3 connect to minio.
Presigned URLs can be used by any application as long as they have not expired.
If you are just starting out on minio, please join our slack channel at https://slack.min.io
We have a number of google cloud storage transfer job that sync from aws s3 buckets to google buckets. I am assuming that they are using https to transfer the data but where can I get a confirmation that they do. Where can I get information about minimum TLS version used in these transfer jobs.
Regarding the Cloud Storage TLS, in this document you could find the TLS information for the gsutil commands which requests are done via the JSON API. These requests are via HTTPS only, and are used within the cloud console too.
I have hosted my static website in S3 bucket using angular5 and mapped to a custom domain using Route53. I want to have SSL/TLS(HTTPS) for my site, so I used ACM to generate the certificate and mapped it to my site using CloudFront. The ACM status is issued and it says it's in use. but my website is not HTTPS enabled.
Everything is hosted in us-east-1, I am accessing my site from East-Asia. Is this an issue?
Am I missing something?
The ACM certificate for CloudFront should have been generated in the N.Virginia region. Then you should be able to assign it to your CloudFront distribution.
In your CloudFront distribution Origin, you should set the "Origin Protocol Policy" parameter to "HTTPS Only" if you want to use HTTPS between CloudFront and your S3 bucket.
In your CloudFront distribution Cache Behavior, you should set the "Viewer Protocol Policy" parameter to "Redirect HTTP to HTTPS" so that every HTTP communication between the clients and your CloudFront distribution is redirected to use HTTPS.
Then you would have to change your DNS record to point to the CloudFront distribution CNAME.
Additionally you could configure your CloudFront distribution and your S3 bucket to restrict access directly from the clients to the S3 buckets, so that every request goes through your ClouddFront distribution.
Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content
Typically, if you're using an Amazon S3 bucket as the origin for a
CloudFront distribution, you grant everyone permission to read the
objects in your bucket. This allows anyone to access your objects
either through CloudFront or using the Amazon S3 URL. CloudFront
doesn't expose Amazon S3 URLs, but your users might have those URLs if
your application serves any objects directly from Amazon S3 or if
anyone gives out direct links to specific objects in Amazon S3
Is it possible to crawl S3 file encrypted using CSE-KMS in AWS Glue? I know that Athena can do that, but haven't found similar functionality in Glue crawler
I do not think AWS Glue supports reading from client-side encryption. They have just added server-side encryption support, which is much simpler to support compared client-side encryption.
Glue Does not support Client Side Encrypted data. It only supports AWS KMS-managed keys (SSE-KMS) or Amazon S3-managed encryption keys (SSE-S3). these are the only two currently available in encryption models in Security Configuration in Glue [1].
[1] https://docs.aws.amazon.com/glue/latest/dg/console-security-configurations.html