Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I run my static website from an S3 Bucket, and add password protection?

I'm running a static website completely from an Amazon S3 bucket, but I want to password protect my content. Is this possible? The type of authentication doesn't bother me, it just needs to be there, so that people can't just 'discover' my website.

At the moment, I don't have a domain name set up, which I believe rules out http://www.s3auth.com/ as a possible solution. Are there any others?

like image 673
James Ford Avatar asked Dec 05 '12 09:12

James Ford


People also ask

Can Amazon S3 run a static website?

You can use Amazon S3 to host a static website. On a static website, individual webpages include static content. They might also contain client-side scripts. By contrast, a dynamic website relies on server-side processing, including server-side scripts, such as PHP, JSP, or ASP.NET.

Is it safe to store credentials in S3?

S3 provides server-side encryption for your data when you store it in the AWS cloud. This server-side encryption is totally transparent from the customer's perspective and it utilizes AES-256 cryptography and generates a unique encryption key for each object you store in S3.


2 Answers

AWS doesn't provide a way to do this directly right now. The S3auth solution you mentioned is nice in that your bucket/objects remain private so that a direct access to the bucket does not allow objects to be read without your private credentials. The disadvantage of the s3auth approach is that it relies on you trusting s3auth with your private credentials. If your credentials are compromised at any stage, it could be costly depending on how someone might abuse your access rights.

If you make your objects publicly readable (as you do when you create a website), anyone who learns/guesses/knows your objects names etc can access them. Or indeed if the bucket is readable, then all they need is the bucket name. There is no real way around this except by tightening the S3 access permissions.

If you only access your website from certain IP addresses, perhaps looking at Bucket Policies may help. Scroll down to Restricting Access to Specific IP Addresses. This is not a password but it does allow you to restrict where accesses can come from at least.

Another common technique for providing temporary access to objects is Query String Request Authentication. This does not however match your original requirement of password protecting your S3 bucket website.

like image 176
MeSee Avatar answered Oct 12 '22 00:10

MeSee


This is possible using CloudFront and Lambda@Edge. See the answer here: https://stackoverflow.com/a/45971193/4550880

like image 8
Leonid Makarov Avatar answered Oct 12 '22 00:10

Leonid Makarov