Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Amazon S3 Write Only access

I'm backing up files from several customers directly into an Amazon S3 bucket - each customer to a different folder. I'm using a simple .Net client running under a Windows task once a night. To allow writing to the bucket, my client requires both the AWS access key and the secret key (I created a new pair).

My problem is:

  1. How do I make sure none of my customers could potentially use the pair to peek in the bucket and in a folder not his own? Can I create a "write only" access pair?

  2. Am I approaching this the right way? Should this be solved through AWS access settings, or should I client-side encrypt files on the customer's machine (each customer with a different key) prior to uploading and avoid a the above mentioned cross-access?

like image 728
Traveling Tech Guy Avatar asked Feb 25 '13 21:02

Traveling Tech Guy


2 Answers

I just created a write-only policy like this and it seems to be working:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}

I think creating a drop like that is a much neater solution.

like image 162
Alper Avatar answered Oct 31 '22 00:10

Alper


Use IAM to create a separate user for each customer (not just an additional key pair), then give each user access to only their S3 folder. For instance, if the bucket is called everybodysbucket, and customer A's files all start with userA/ (and customer B's with userB/), then you can grant permission to everybodysbucket/userA/* to the user for customer A, and to everybodysbucket/userB/* for customer B.

That will prevent each user from seeing any resources not their own.

Use can also control specific S3 operations, not just resources, that each user can access. So yes, you can grant write-only permission to the users if you want.

like image 35
Charles Engelke Avatar answered Oct 31 '22 00:10

Charles Engelke