sparkcodeuk · January 14, 2020 14:22
diff --git a/Offload Media Lite S3 Policy b/Offload Media Lite S3 Policy
 This tutorial encourages you to stupidly give S3 offload media full access to your S3 services in your AWS account.
 Never, ever do this.

 Here is a sane policy which will give S3 offload only the access it absolutely requires.

 NOTE: this assumes you're uploading objects to /wp-content/... prefix and that you don't need to "browse existing buckets" in the setup.

 Beyond this I would recommend enabling "Versioning" on the bucket and implementing an S3 lifecycle rule which performs object expiry of previous versions of objects. This will mitigate any obvious delete/overwrite attacks on your website uploads.

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::NAMEOFS3BUCKETHERE/wp-content/*"
            ]
        }
    ]
 }
	This tutorial encourages you to stupidly give S3 offload media full access to your S3 services in your AWS account.
	Never, ever do this.

	Here is a sane policy which will give S3 offload only the access it absolutely requires.

	NOTE: this assumes you're uploading objects to /wp-content/... prefix and that you don't need to "browse existing buckets" in the setup.

	Beyond this I would recommend enabling "Versioning" on the bucket and implementing an S3 lifecycle rule which performs object expiry of previous versions of objects. This will mitigate any obvious delete/overwrite attacks on your website uploads.

	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "VisualEditor0",
	"Effect": "Allow",
	"Action": [
	"s3:PutObject",
	"s3:GetObject",
	"s3:DeleteObject",
	"s3:PutObjectAcl"
	],
	"Resource": [
	"arn:aws:s3:::NAMEOFS3BUCKETHERE/wp-content/*"
	]
	}
	]
	}