stackoom
  简体   繁体   中英

How to Properly Secure S3 with IAM and CORS?

 原文  2016-01-27 21:53:26       security/ amazon-s3/ localhost/ cors/ amazon-iam

Question

I've figured out how to set up CORS and IAM so I post images to and display images from S3. I have two main issues.

  1. What I have seems insecure because from my understanding of what I have, anyone could access it.
  2. If I secure it, I can no longer test properly on localhost. And I don't have the option of setting it to be accessible on localhost from a work network because we're all remote.

Policy 

    {"Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObjectAcl",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name",
                "arn:aws:s3:::bucket-name/*"
            ]
        },
        {
            "Sid": "read only policy",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket-name/*"
        }
    ]}

CORS 

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>HEAD</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

So, how do I secure my configurations while still allowing development from localhost?

Will using "Condition": {"StringLike": {"aws:Referer": [ ... ]}} prevent access from localhost?

1 answers

solution1
 0  2016-01-27 22:16:04

You can lock down the S3 bucket without using the Referer tag. It is probably more secure to use it after testing is complete.

In the AWS S3 console, you can grant permissions to access the bucket to yourself. As long as the Grantee does not say 'Everyone', everyone does not have access to the bucket.

You can then generate an IAM access key for yourself in IAM > Users > 'user_name'. This key can be used to authenticate with the bucket.
You will also want to grant the user the AmazonS3FullAccess by attaching it as a policy.

You should be able to use the user's credentials that you just generated to access and modify files in S3.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to secure an Amazon S3 URL How secure are presigned URLs in AWS S3? How to secure S3 download for user sensitve data? How Do I Secure My Amazon S3 Buckets How to get S3 Secure Access form Application? How secure is it to call Amazon S3 Services from an iPhone? Sending 'secure' financial statements on S3 Secure AWS S3 file urls how to properly secure access to a site How to properly secure password in AngularJS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM