Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Restrict access to website hosted on S3

Tags:

amazon-s3

I would like to host a static website at amazon S3, but I need to restrict access to it to certain users. This maybe by ip address or by amazon credentials (only logged in users can access the bucket's content.

Is this possible?

Thanks

like image 532
duduklein Avatar asked Jan 11 '13 12:01

duduklein


People also ask

How do I restrict access to my S3 static website?

In order to restrict access to certain IPs, you may create additional bucket policy. This statement grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition.

How do I deny access to an S3 bucket?

You can use the NotPrincipal element of an IAM or S3 bucket policy to limit resource access to a specific set of users. This element allows you to block all users who are not defined in its value array, even if they have an Allow in their own IAM user policies.


2 Answers

Yes it indeed is possible. Better starting point for you would be read S3 access control.

But by default the buckets created on S3 aren't public. So the default behaviour should be that it will only be accessible to person/program who/which has knowledge of your access and secret key.

You may also edit bucket permission in order to give access to a particular AWS account or an email id.

In order to restrict access to certain IPs, you may create additional bucket policy.

Restricting Access to Specific IP Addresses

This statement grants permissions to any user to perform any S3 action on objects in the specified bucket. However, the request must originate from the range of IP addresses specified in the condition. The condition in this statement identifies 192.168.143.* range of allowed IP addresses with one exception, 192.168.143.188.

Note that the IPAddress and NotIpAddress values specified in the condition uses CIDR notation described in RFC 2632. For more information, go to http://www.rfc-editor.org/rfc/rfc4632.txt.

{     "Version": "2012-10-17",     "Id": "S3PolicyId1",     "Statement": [         {             "Sid": "IPAllow",             "Effect": "Allow",             "Principal": "*",             "Action": "s3:*",             "Resource": "arn:aws:s3:::bucket/*",             "Condition" : {                 "IpAddress" : {                     "aws:SourceIp": "192.168.143.0/24"                  },                 "NotIpAddress" : {                     "aws:SourceIp": "192.168.143.188/32"                  }              }          }      ] } 

For more, read here and here.

like image 94
Amar Avatar answered Sep 25 '22 20:09

Amar


Edit: User/group based restrictions do not work for static websites hosted in S3 since AWS is not registering your AWS Management Console (path: amazon.com) credentials/cookies for S3 (path: amazonaws.com) and not checking for them either.

Workaround: www.s3auth.com - Basic Auth for S3 buckets might do the trick for you but involves a third party. Another solution may be Query String Request Authentication, using an EC2 instance or the Elastic Beanstalk Java SE Static Files Option. We are currently exploring securing our buckets with an Amazon API Gateway as Amazon S3 Proxy.


Sidenote: There are some additional things to look out for, which are often not directly pointed out.

It is currently not possible in bucket policies to grant or restrict group access, only specific users. Since you also generally don't want to update each bucket policy for each change in your user structure and bucket policies might (unintentionally) interfere with your user policies you may not want to use bucket policies.

The user/group based policies only work with the s3:GetBucketLocation and s3:ListAllMyBuckets attached to arn:aws:s3:::* or * (unfortunately no filtering possible here, all bucket names will be visible for users/groups with this policy).

IAM Policy Example: (not a S3 Bucket Policy and not working for Static Website Hosting)

{     "Version": "2012-10-17",     "Statement": [         {             "Effect": "Allow",             "Action": [                 "s3:ListAllMyBuckets",                 "s3:GetBucketLocation"             ],             "Resource": [                 "arn:aws:s3:::*"             ]         },         {             "Effect": "Allow",             "Action": "s3:GetObject",             "Resource": [                 "arn:aws:s3:::YOURBUCKETNAME",                 "arn:aws:s3:::YOURBUCKETNAME/*"             ]         }     ] } 

More detailed blog post: "How to Restrict Amazon S3 Bucket Access to a Specific IAM Role"

like image 31
nottmey Avatar answered Sep 22 '22 20:09

nottmey