I was just wondering if there is any way to toggle/turn off/disable/block an api gateway request from a particular domain. I need to test if the service is ever down to see if the error messaging is working
In chrome I can block the request in the network console, however, I can not do this in IE. is there a way to turn the api off temporarily?
or can i block it in IE?
You can get this working with IP rather than the domain.
API gateway allows you to attach "Resource Policy" to your API
Example below
The following example resource policy is a "blacklist" policy that denies (blocks) incoming traffic to an API from two specified source IP addresses.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": ["arn:aws:execute-api:region:account-id:api-id/*"]
},
{
"Effect": "Deny",
"Principal": "*",
"Action": "execute-api:Invoke",
"Resource": ["arn:aws:execute-api:region:account-id:api-id/*"],
"Condition": {
"IpAddress": {
"aws:SourceIp": ["10.24.34.0/23",
"10.24.34.0/24"]
}
}
}]
}
More Info
API Gateway Resource Policy
API Gateway Resource Policy Examples
Related
I'm attempting to lock down viewing of S3 resources - really just images - to my web application's domain. For instance, if someone goes to my site - let's say example.com - and there's a src reference to the image, I want it to be viewable. But if someone were to right click and open up the image directly in a new tab, they shouldn't be able to.
There's tons on the web out there, but I just can't seem to find the correct combination or permissions. And most tutorials don't usually talk about the "Block Public Access" settings, and I'm not sure how that fits in.
Here's the policy I'm attempting:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow get requests originating from example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://www.example.com/*"
]
}
}
},
{
"Sid": "Do not allow requests from anywhere else.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://www.example.com/*"
]
}
}
}
]
}
This doesn't seem to do anything. If "block public access" is on, both are blocked. If it's off, both are shown. That is, even though I have an explicit "Deny" list above, going right to the image on that bucket in the browser works fine.
I can also edit CORS, but I'd still then wonder why the deny list here wouldn't take care of that itself. Finally, after implementing the policy, I lose lots of abilities myself, such as setting CORS, even when using the root user account. I can probably just do things in a different order to make it happen, but I'd like to still be able to manage my permissions after submitting the policy.
Thanks.
Step 1: Block all public access should be disabled to apply the bucket policy settings, You can make your block all public settings as shown in the above image.
Step 2: Organize all your website images in to one folder like “images”
Step 3: Setup a bucket policy as below. It has two statements. Statement 1 denies images folder to all except from your domain. Statement 2 allows everything. Since deny overwrites allow, statement 1 has more power than statement 2 hence it blocks images which calling from outside of your domain.
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Deny get requests not originating from www.example.com and example.com.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:Get*",
"Resource": "arn:aws:s3:::your-bucket/images/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://www.example.com/"
]
}
}
},
{
"Sid": "Allow get requests",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:Get*",
"Resource": "arn:aws:s3:::your-bucket/*"
}
] }
Step 4: You have to change your front end code a little bit, wherever you are using image tags you need to add “referrerpolicy” set to “origin”, if you don’t set this field referer header won’t be forwarded to S3 and rule evaluation failed and 403 will occur.
Example: <img src="images/pic_trulli.jpg" alt="Trulli" width="500" height="333" referrerpolicy="origin">
This solution is tested and working. If you also need CORS, you can enable CORS on S3 bucket as well. But this policy is good enough to handle.
When calling with domain -->
When calling with S3 URL -->
If this solution helps you, mark it as answered.
I have put the following bucket policy in effect for the product downloads bucket on my website. It works perfectly for http traffic. However this policy also prevents me from downloading directly from the S3 console, or from 3rd party S3 clients like S3Hub.
How can I add to or change this policy to be able to interact with my files "normally" as a logged-in owner, but still restrict http traffic as below?
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::downloads.example.net/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"https://example16.herokuapp.com/*",
"http://localhost*",
"https://www.example.net/*",
"http://stage.example.net/*",
"https://stage.example.net/*",
"http://www.example.net/*"
]
}
}
}
]
}
Remove:
"Principal": "*",
Replace with:
"NotPrincipal": { "AWS": "Your-AWS-account-ID" },
The policy should then apply only to requests that are not authorized by credentials associated with your account.
Note that because of the security implications of its logic inversion, NotPrincipal should only ever be used with Deny policies, not Allow policies, with few exceptions.
It is possible to send S3 events from Account A to an SQS topic in Account B. But, the only way I have been able to achieve this is by opening the permissions for the sendMessage action in SQS to allow everyone access.
Is it possible to configure S3 events to sendMessage to a different account with some permission restrictions in place on the SQS topic?
For example, if I try to restrict access to a specific account (e.g. 123456789012, I receive an error in the S3 console when I try to save the event: "Unable to validate the following destination configurations : Permissions on the destination queue do not allow S3 to publish notifications from this bucket"
{
"Version": "2012-10-17",
"Id": "sqs-permission",
"Statement": [
{
"Sid": "sqs-permision-statement",
"Effect": "Allow",
"Principal": {
"AWS": "123456789012"
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:us-east-1:210987654321:my-queue"
}
]
}
According to the documented example, the authorization needs to be granted to S3, not the account owning the bucket.
"Principal": {
"AWS": "*"
},
...
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:s3:*:*:bucket-name"
}
}
The * principal seems unusually permissive, but the likely explanation is that aws:SourceArn is not a value that could be spoofed by a malicious user, any more than, say, aws:SourceIp.
By contrast, the SNS example shows this principal, which seems more appropriate, if it works for SQS notifications:
"Principal": {
"Service": "s3.amazonaws.com"
},
You'd still want to include the Condition block.
Now, I know that I cannot stop someone from downloading my videos and sharing, however I would prefer to have it to so that people do not copy paste links directly to my bucket. Thus, is there a way to make my bucket accessible only from my server/domain making the request?
If it helps, I'm using jwplayer which loads from a xml playlist that has all the links. This playlist definitely can be opened and viewed from anywhere and is where I expect the easy copy and paste comes from.
I don't want to mask the urls because that means my bucket is readable to everyone. There is probably some chance that someone will find the url of my bucket and the name of the files and connect everything together...
This is possible by Using Bucket Policies, which allows you to define access rights for Amazon S3 resources - there are a couple of Example Cases for Amazon S3 Bucket Policies illustrating the functionality, and amongst these you'll find an example for Restricting Access to Specific IP Addresses as well:
This statement grants permissions to any user to perform any S3 action
on objects in the specified bucket. However, the request must
originate from the range of IP addresses specified in the condition.
Depending on the specifics of your use case, a bucket policy for this might look like so:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::bucket/*",
"Condition" : {
"IpAddress" : {
"aws:SourceIp": "192.168.143.0/24"
},
"NotIpAddress" : {
"aws:SourceIp": "192.168.143.188/32"
}
}
}
]
}
As shown the aws:sourceIp value for parameters IPAddress and NotIpAddress is expressed in CIDR notation, enabling respective flexibility for composing the desired scope.
Finally, you might want to check out the recommended AWS Policy Generator, select type S3 Bucket Policy and explore the available Actions and Conditions to compose more targeted policies for your use case eventually - the documentation for Conditions explains this in detail.
The Ip address will help if your server going to access your bucket. But JWPlayer is from client side. So the request is directly goes from jwplayer(browser) to s3 bucket url, Not via your server. In this case "referrer bucket policy" will help you in this.
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "1",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketname/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://yoursitename.com/*",
"http://*.yoursitename.com/*"
]
}
}
}
]
}
So now s3 will allow if that request come from your site only.
You can have your bucket protected, which is by default the way it is. (meaning you only have access to objects in it) Then you can request files from Amazon S3 from your website and give it a time limit to which the user can see it.
//set time so that users can see file for 1 minute. then it is protected again.
$response = $s3->get_object_url(YOUR_A3_BUCKET, PATH/TO/FILE, '1 minutes');
This will automatically give you a url that has parameters associated with it which only is accessible for 1 minute. You can use that as your source within your website and then they could not copy and paste it into the browser after that 1 minute.
You can read more about this at the Amazon SDK for PHP
Restricting Access to a Specific HTTP Referrer
Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your Amazon S3 bucket, examplebucket. By default, all the Amazon S3 resources are private, so only the AWS account that created the resources can access them. To allow read access to these objects from your website, you can add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages. The following policy specifies the StringLike condition with the aws:Referer condition key.
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
For everyone who is stumbling upon this now, please take note that Amazon has changed the JSON format for the bucket policies and now requires each allowed / denied IP or domain to be listed separately. See below for an example.
Either way, I strongly recommend to use the AWS Policy Generator to make sure your formatting is correct.
AWS S3 Bucket Policy - Allow Access only from multiple IPs
{
"Id": "Policy1618636210012",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1618635877058",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/folder/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "333.444.555.666"
}
},
"Principal": "*"
},
{
"Sid": "Stmt1618636151833",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/folder/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "222.333.444.555"
}
},
"Principal": "*"
},
{
"Sid": "Stmt1618636203591",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucketname/folder/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "111.222.333.444"
}
},
"Principal": "*"
}
]
}
I am using aws s3 to store my website pictures and video contents. File links from s3 are directly output to html/php.
The problem is that some other sites linked my picture/video, which heavily increased s3 traffic usage, and off course increased the pay bill.
I know in some case people use referer header to prohibit external sites linking. But in this case, picture/video go out directly from s3, not my domain.
Can some one help to achieve this? Thanks.
You can use Amazon bucket policy like :
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originated from www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.example.com/*",
"http://example.com/*"
]
}
}
}
]
}
which is explained in detail at : http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html