jdecode/aws-s3-and-iam-policies.md

Last active January 17, 2024 11:45

Star (3) You must be signed in to star a gist
Fork (1) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/jdecode/23a42aaa8fb01feb03f73164c15dc557.js"></script>
Save jdecode/23a42aaa8fb01feb03f73164c15dc557 to your computer and use it in GitHub Desktop.

Download ZIP

S3 and IAM policy and configuration setup

Raw

aws-s3-and-iam-policies.md

Following is the CORS configuration that goes under Bucket > Permissions

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

Author

jdecode commented Aug 13, 2020

Following is the policy applied on S3 bucket

{
    "Version": "2012-10-17",
    "Id": "Policy1572334574521",
    "Statement": [
        {
            "Sid": "Stmt1572334569434",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::759397613179:user/IAM_USER"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::759397613179:user/IAM_USER"
                }
            }
        }
    ]
}

Author

jdecode commented Aug 13, 2020

Author

jdecode commented Aug 13, 2020

Output is as following:

The API ID + Secret pair of the IAM user should be able to access the specified S3 bucket, and NO OTHER bucket
The S3 bucket should be able to receive requests from the specified IAM user, and from NOT OTHER user
The objects in the bucket could be "Put" (saved) or "Get" (retrieved) and nothing else. No DELETE operation are permitted.

All objects(files) should be private by default unless something is specifically required to have public access, like images or files that are supposed to go in emails, with previews.

If the files are supposed to be linked (and not previewed) then the link should take the user to a URL that would (optionally, internally redirect to a location that) let the user preview or download the said file using signed URL.

Author

jdecode commented Aug 13, 2020

The API key ID and SECRET pair MUST NOT be made accessible to front-end applications - neither web-based apps (React.JS/Vue etc) nor mobile apps (React Native, Swift/Java etc).

The secret keys MUST stay at the server end only, and should be used by client-end (front-end) apps (web/mobile) to get signed/pre-signed URLs to access or save files to S3 - but never store the API keys

er-pkumar commented Feb 2, 2023

New/JSON CORS

[{
  "AllowedHeaders": [],
  "AllowedMethods": [
      "GET",
      "POST"
  ],
  "AllowedOrigins": [
      "*"
  ],
  "ExposeHeaders": []
}]