Is it possible (via IAM, bucket policy, or otherwise) to force Amazon S3 to only serve content over HTTPS/SSL and deny all regular, unencrypted HTTP access?
I believe this can be achieved using a bucket policy. Deny all HTTP requests to the bucket in question using the condition aws:SecureTransport: false.
The following is not tested but it should give you an idea of how to set it up for your case.
{
"Statement":[
{
"Action": "s3:*",
"Effect":"Deny",
"Principal": "*",
"Resource":"arn:aws:s3:::bucketname/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
Here you allow your incoming traffic but refuse the non SSL one. If you want to go back just remove the 2nd statement:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/*"
},
{
"Sid": "PublicReadGetObject",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucketnamehere/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
Don't forget to put your bucket name at yourbucketnamehere.
Now you need to install a SSL certificate. All the information can be found here.
Related
I know this question has been asked a few times and I have gone through a some documents and examples on this. But I am still not able to get it working.
I want to block access to my S3 bucket from one particular IP address and allow all others. I do not want to block instances belonging to an IAM role and hence I am using NotIpAddress Condition for this. Below is the policy I applied on my bucket:
{
"Version": "2012-10-17",
"Id": "Policy1486984747194",
"Statement": [
{
"Sid": "AllowAllExceptOneIP",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::my-test-bucket",
"Condition": {
"NotIpAddress": {
"aws:SourceIp": "52.38.90.46"
}
}
}
]
}
But this policy isn't working. I am able to upload files to my bucket from this machine, I am using s3-curl.pl to temporarily upload my files.
Can someone please help me find what is wrong here. Thanks.
To block all actions to an S3 bucket from a particular IP, policy needs to have separate deny effect statement for that IP, sample:
{
"Version": "2012-10-17",
"Id": "Policy1487062767078",
"Statement": [
{
"Sid": "AllowAll",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-test-bucket",
"arn:aws:s3:::my-test-bucket/*"
]
},
{
"Sid": "DenyIP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-test-bucket",
"arn:aws:s3:::my-test-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "52.38.90.46"
}
}
}
]
}
Action and Resource can be changed based on what one needs to block.
Thanks a lot #SergeyKovalev for helping me with this solution.
I have a Amazon S3 bucket mybucket and only want to enable access to content in a specific nested folder (or in S3 terms, with a specific "prefix").
I tried the following S3 bucket policy but it doesn't work. After adding the condition I started getting access denied errors in the browser.
{
"Version": "2012-10-17",
"Id": "Policy for mybucket",
"Statement": [
{
"Sid": "Allow access to public content only from my.domain.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://my.domain.com/*"
]
}
}
}
]
}
What should the policy look like to achieve this?
You need to split the policy in to two statements. One to allow access to the folder (prefix), and one to deny access when the referer is not one of the white listed domains:
{
"Version": "2012-10-17",
"Id": "Policy for mybucket",
"Statement": [
{
"Sid": "Allow access to public content",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*"
},
{
"Sid": "Deny access to public content when not on my.domain.com",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/public/content/*",
"Condition": {
"StringNotLike": {
"aws:Referer": [
"http://my.domain.com/*"
]
}
}
}
]
}
I have made a S3 bucket policy for readonly access to cloudfront, i want to restrict s3 bucket for public and just allow it from referrer urls via cloudfront how ever it is not applying my s3 bucket policy.
{
"Version": "2012-10-17",
"Id": "http referer",
"Statement": [
{
"Sid": "Allow get requests referred by www.def.com and dev.def.com.",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::devmb/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.def.com/*",
"http://dev.def.com/*"
]
}
}
},
{
"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXX"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::devmb/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://dev.xyx.com/*",
"http://blog.xyz.com/*"
]
}
}
}
]
}
My content is public right now.
Referer does not work when using CloudFront because the referer does not appear in the HTTP request header itself. You'll have to use S3 without CloudFront if you wish to restrict access using conditional aws:Referer in the bucket policy.
I am new to Amazon S3 and just created my first bucket. I need two important policies to be implemented on the bucket which are as follows:
First, policy for allowing only downloads from my own website (via HTTP referrer)
Secondly, I want to make all objects in the bucket public.
I have got two different codes of policies for my needs, but now I can't put them together to achieve the said goals. Please help me joining these too policies together so I achieve what I want.
For allowing referrer downloads:
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originated from www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"URL/*",
]
}
}
}
]
}
For making objects public:
{
"Sid": "...",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket/*",
"Principal": {
"AWS": [ "*" ]
}
}
I have the following bucket policy set on my bucket:
{
"Version": "2008-10-17",
"Id": "My access policy",
"Statement": [
{
"Sid": "Allow only requests from our site",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
" http://example.com/*",
" http://www.example.com/*"
]
}
}
},
{
"Sid": "Dont allow direct acces to files when no referer is present",
"Effect": "Deny",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"Null": {
"aws:Referer": true
}
}
}
]
}
I also configured query string authentication, but it looks like I can't have both. If I have my bucket policies set to deny any request that doesn't originate from example.com, my temporary url using query string authentication will also not get served. So my question is, how can i have both ? Is there a way to check for url parameters and see if it has a parameter called "Signature" and in that case not apply the referer policy?
Remove the space in the referrers string " http://example.com/*" that's wrong... the Amazon examples made that mistake too (using "mydomain" instead of "example").
For the second statement the easier way to solve it is to remove that entire statement and have your files permissions (ACLs) set to private (Owner-Read/Write and World-NoRead/NoWrite)
I am not sure, but in appears that even if you have a Deny Statement a file can still be read if it has a public permission (World Read).
Also, if you are distributing the files on CloudFront remember to allow it to read the bucket too. So a complete bucket policy will look like:
{
"Version": "2008-10-17",
"Id": "YourNetwork",
"Statement": [
{
"Sid": "Allow get requests to specific referrers",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.yourwebsite.com/*",
"http://yourwebsite.com/*"
]
}
}
},
{
"Sid": "Allow CloudFront get requests",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678:root"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::yourbucket/*"
}
]
}
(change the 12345678 to your AWS account ID number without the dashes)