I'm trying to set up an AWS S3 bucket for storing files that a website will dish up to users of the site. The site is an intranet (only logged in users can access any pages which provide links to the assets from the S3 bucket).
When I include "Principle": "*" in my policy, AWS warns me about exposing the bucket to public access. Yet everything I've tried for granting only a specific user to have access doesn't work (results in AccessDenied errors).
After many hours reading online articles, AWS documents, and a long list of questions on ServerFault and StackExchange, I am none the wiser. I'm starting to think that perhaps I'm misunderstanding the ramifications of an S3 bucket having public access. Is it even an issue, since I can't seem to NOT grant public access whilst still having access to the files (via the web site that's storing them on there).
The website in question is a Craft 2 CMS site, with an AWS S3 plug-in. The plug-in requires an AWS "Access Key ID" and "Secret Access Key". I set up a user in IAM for this site, and used the Keys from that user.
What I've tried
- I've tried applying a policy to the bucket itself. If I use the following policy, on the bucket itself, I can access the files from the website. But I get the warning from AWS that this opens up public access (which I understand is due to the
"Principle": "*"field).
{
"Id": "Policy1599693986936",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1599693977359",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:GetObjectAcl",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MY-BUCKET/*",
"arn:aws:s3:::MY-BUCKET"
],
"Principal": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::MY-BUCKET"
],
"Principal": "*"
}
]
}
- To avoid the Public Access issue/warning, I've tried having a policy on just the IAM user itself, and no policy on the bucket directly. I used this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:ListBucketMultipartUploads",
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::MY-BUCKET"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::MY-BUCKET/*"
}
]
}
But this results in a <Code>AccessDenied</Code> error when I try to view the files via our web site. So it does not seem to grant the required permissions, even though it's granting the same permissions as the policy in #1 above, just that they are specific to this user (whose key I am using on the site).
- I've also tried applying a condition in the policy on the bucket, restricting access to the IP address of my website, but that results in
AccessDeniederror. The additional field I used was:
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"SERVER-IP-ADDRESS"
]
}
},
Questions
- Have I misunderstood how to grant a user (and therefore a specific website, with that user's credentials, access to an S3 bucket?
- What is the way to grant a web site (or any tool that accesses S3) exclusive access to a bucket, without opening the bucket up to public access?
- What are the actual risks of opening up "public access" in my usage scenario? Since it's an private website (a password access only intranet) does it even matter if I grant public access to the S3 bucket? Can I just ignore the warnings from AWS?
