Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Correct S3 Policy For Pre-Signed URLs

Tags:

I need to issue pre-signed URLs for allowing users to GET and PUT files into a specific S3 bucket. I created an IAM user and use its keys to create the pre-signed URLs, and added a custom policy embedded in that user (see below). When I use the generated URL, I get an AccessDenied error with my policy. If I add the FullS3Access policy to the IAM user, the file can be GET or PUT with the same URL, so obviously, my custom policy is lacking. What is wrong with it?

Here's the custom policy I am using that is not working:

{     "Statement": [         {             "Action": [                 "s3:ListBucket"             ],             "Effect": "Allow",             "Resource": [                 "arn:aws:s3:::MyBucket"             ]         },         {             "Action": [                 "s3:AbortMultipartUpload",                 "s3:CreateBucket",                 "s3:DeleteBucket",                 "s3:DeleteBucketPolicy",                 "s3:DeleteObject",                 "s3:GetBucketPolicy",                 "s3:GetLifecycleConfiguration",                 "s3:GetObject",                 "s3:ListBucket",                 "s3:ListBucketMultipartUploads",                 "s3:ListMultipartUploadParts",                 "s3:PutBucketPolicy",                 "s3:PutLifecycleConfiguration",                 "s3:PutObject"             ],             "Effect": "Allow",             "Resource": [                 "arn:aws:s3:::MyBucket/*"             ]         }     ] } 
like image 363
alphadogg Avatar asked Sep 25 '16 15:09

alphadogg


People also ask

Are S3 pre-signed URLs secure?

Pre-signed URLs can be generated for an S3 object, allowing anyone who has the URL to retrieve the S3 object with an HTTP request. Not only is this more secure due to the custom nature of the URL, but the available options also allow you to set an expiration on the URL, the default being one hour.

What is pre-signed URL S3?

Pre-signed URLs are used to provide short-term access to a private object in your S3 bucket. They work by appending an AWS Access Key, expiration time, and Sigv4 signature as query parameters to the S3 object. There are two common use cases when you may want to use them: Simple, occasional sharing of private files.

Which of the following is the correct S3 URL format?

An S3 bucket can be accessed through its URL. The URL format of a bucket is either of two options: http://s3.amazonaws.com/[bucket_name]/ http://[bucket_name].s3.amazonaws.com/

How do S3 signed URLs work?

S3 pre-signed URLs are a form of an S3 URL that temporarily grants restricted access to a single S3 object to perform a single operation — either PUT or GET — for a predefined time limit. To break it down: It is secure — the URL is signed using an AWS access key.


1 Answers

Here is an IAM policy that works for my presigned S3 URLs.

{     "Version": "2012-10-17",     "Statement": [       {         "Sid": "VisualEditor0",         "Effect": "Allow",         "Action": [             "s3:PutObject",             "s3:GetObject"         ],         "Resource": "arn:aws:s3:::mydocs/*"       }     ] } 

I wonder if your problem is in the Resource part. Were your GET requests for bucket MyBucket always?

like image 166
Big Pumpkin Avatar answered Sep 30 '22 11:09

Big Pumpkin