Fork and clone this repository.
Read over all the instructions before proceeding.
Follow the steps outlined to create and gain programmatic access to an AWS S3 bucket.
AWS
(Amazon Web Services) accountIf you do not have an account, open AWS and click
Sign In to the Console
.
Amazon provides a free tier,
with some limitations, for twelve months after you sign-up for an AWS account.
Storing large static files is a common need for a web application. Accepting image uploads from authorized users but allowing public read access is a frequent example.
AWS provides a variety of APIs, one of which is easily used for this purpose. This guide helps ensure access to these APIs is restricted.
Why is the important?
Using any metered API has financial risks. Using many APIs may have data risks (information loss or exposure).
Using restrictive access control with AWS ensures that even if an identity is compromised, the actual risks, financial and otherwise, are limited.
AWS
console open tabs for
IAM
(Identity and Access Management) and S3
(Simple Storage Service).Identities are how we grant access to AWS APIs.
In the IAM tab:
Users
in the left sidebar.Add User
near the top of the page.wdi-upload
into the text box.Programmatic Access
x
to the right of your existing access key to delete it.Create access key
download .csv file
and save the CSV to this repository.(this is
the only time you'll be able to see your access key, but you can generate a new one anytime
and are encouraged to rotate them frequently)Download Credentials
.credentials.csv
to this repository.Close
User ARN
(Amazon Resource Name) at the top of the page and save it in arn.txt.We'll need the User ARN to grant access to an S3 bucket we'll use for uploads.
We'll also need an Access Key
(Access Key Id and Secret Access Key) for this
IAM User to upload files via the S3 API.
The Access Key is contained in credentials.csv.
Note well: credentials.csv contains secrets
!
Do not share them or store them in git.
The .gitignore in this repository explicitly ignores this file. Altering the .gitignore file
in this repository could result in your AWS credentials (credentials linked to your credit card information) being visible on Github. NEVER COMMIT SECRETS TO GIT
S3 stores files you upload in buckets
. A bucket is a top-level namespace
for your files.
In the S3 tab:
Click Create Bucket
.
This opens the Create a Bucket - Select a Bucket Name and Region
modal.
Enter a name in the Bucket Name
box. It must be unique among all S3
buckets and in all lowercase characters.
Select US Standard
for the Region
.
Click Create
.
Highlight your bucket and select the Properties
tab on the right side.
Open the Permissions
dropdown in the right sidebar.
Click Add bucket policy
near the bottom of the Permissions
dropdown.
At the bottom of the Bucket Policy Editor
modal,
click AWS Policy Generator
. This opens the AWS Policy Generator page.
On the AWS Policy Generator page
Step 1: Select Policy Type
Select Type of Policy
use S3 Bucket Policy
.Step 2: Add Statement(s)
Allow
for Effect
.Principal
box.PutObject
and PutObjectAcl
for Actions
.arn:aws:s3:::<bucket_name>/*
into the
Amazon Resource Name (ARN)
box.Add Statement
.Step 3: Generate Policy
Generate Policy
Policy JSON Document
modal.Return to the S3 tab.
Paste the bucket policy into the Bucket Policy Editor
modal.
Click Save
.
Click Save
in the Permissions
dropdown.
You have now created and granted access to an S3 bucket.
These steps limit upload access to one bucket for the identity wdi-upload
.
This is one specific and restrictive way of implementing access control. AWS provides many different mechanisms to grant and restrict access.
{
"Version": "2012-10-17",
"Id": "Policy1439826519004",
"Statement": [
{
"Sid": "Stmt1439826516658",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS Account Id>:user/<IAM User Name>"
},
"Action": [
"s3:PutObjectAcl",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::<bucket_name>/*"
}
]
}
US Standard