stackoom
  简体   繁体   中英

AWS S3 - Assign limited permission to bucket & create IAM who can access that bucket only

 原文  2019-06-18 12:36:56       amazon-web-services/ amazon-s3/ amazon-iam

Question

I'm developing a mobile application & i want to upload/get/delete a file in AWS S3 bucket.

But I'm very concern about the security problem.

S3 Bucket: It should not be public and only authorize IAM user can access who have the permission to access my bucket.

So, need help to configure permission of my S3 bucket & create an IAM user.

1 answers

solution1
 0  2019-06-18 21:28:52

That is not how you authorize access for mobile applications. Yes, you can create IAM user, generate access key and secret access key, store those keys in the application code and configure right permissions for the IAM user. Then you don't even need to configure bucket policy. By default, bucket is private and only IAM users in your account with appropriate permissions are able to access it. If you allow IAM user to access specific S3 bucket then you would need to configure explicit deny on bucket policy to override it.

But the above approach is against every security good practice. What you really want to do is to create IAM role that allows access to the bucket and assume that role from within the application. You can set up Cognito + web federation (or some other web federation provider) for your users and ask STS service to generate short lived credentials using sts:assumeRoleWithWebIdentity command.

As for the IAM permissions, you will need to allow s3:PutObject , s3:GetObject and s3:DeleteObject so the policy can look something like this. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": "<arn-of-your-bucket>"
        }
    ]
}

You can be even more granular and allow Cognito users to access only "their" folder inside of a bucket if you need to.

As for the role, you just need to attach the above policy to it and configure trust relationship between the role and web identity provider (as mentioned above, this can be Cognito or any OpenID provider).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS S3 IAM user can't access bucket Limited access to AWS S3 bucket Create a single IAM user to access only specific S3 bucket AWS S3 Bucket Access file permission Giving an IAM user, permission to a specific folder of a bucket in AWS S3 IAM user can only access S3 bucket when bucket is set to public Create AWS Access Policy to Only 1 S3 Bucket Amazon S3 IAM User can' access S3 bucket AWS:Allowing Access to an IAM application user to a specific S3 bucket Permission denied for IAM policy to S3 bucket
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM