-2

I want to prevent direct interaction with my S3 bucket. While my S3 bucket is properly configured, I want to find a (performant) method to lock down access to a single i.p while still serving files off of S3.

The architecture I envision is something:

user request -> proxy web application -> s3 bucket

Such that the user is not exposed to, or made aware of the use of S3. The liability I am trying to find a way around, is that this will involve me paying for the CPU load for every request, reducing many of the advantages of using S3 in the first place. I Imagine achieving this goal would involve a very quick, and very minimal web service.

Is there a way to hide S3 from users without wasting it's advantages in a proxy?

NB:

I don't want to consider that S3 may be safely configured. In my case, there are organizational reasons to consider further safety procedures. I would enjoy the thought exercise here even if it is truly the wrong choice.

Additionally, it is not an option use a service instead of S3. We are just talking about S3 here.

MrSynAckSter
  • 157
  • 1
  • 5
  • Put cloudfront in front of it? – ceejayoz Mar 01 '18 at 18:58
  • You'd still be making API requests to AWS... They would be able to infer what it was and likely find the bucket themselves. – MrSynAckSter Mar 01 '18 at 19:50
  • 1
    Use a different CDN provider then. Cloudflare works well for fronting buckets and doesn't reveal any information about the origin. Keep in mind that for large files, each proxy/CDN handles stream buffering differently – Brennen Smith Mar 01 '18 at 20:02
  • @baordog It's entirely possible to wall off an S3 bucket to only be accessed via its CloudFront distribution. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html – ceejayoz Mar 01 '18 at 20:25
  • Why are you down voting? This isn't against the rules and it's not off topic. – MrSynAckSter Mar 02 '18 at 16:45
  • "I would enjoy the thought exercise here even if it is truly the wrong choice" falls squarely within the "not useful" criteria given when you hover over the downvote button, if you ask me. – ceejayoz Mar 03 '18 at 03:53
  • It is useful. Maybe you are contractually obligated to use S3, but obligated by *compliance* not to reveal its use. Why is it so hurtful to you to consider a realistic scenario? These are real requirements I am suffering in real life. – MrSynAckSter Mar 05 '18 at 19:05

1 Answers1

1

If you want to lock access to an IP, you can set that permission via IAM - this way, you don't have to do any reverse proxy nonsense.

You could create a global read S3 policy and then set a condition that the requests must be from a specific IP address.

An example of a condition statement is: 

"Condition" :  {
       "IpAddress" : {
          "aws:SourceIp" : ["192.0.2.0/24", "203.0.113.0/24"]
      }
}
Brennen Smith
  • 1,742
  • 8
  • 11
  • That's not what I'm asking. I am asking how I can proxy access to the S3 services without losing performance. I don't want the end-user's browser to be making requests to it, and I don't want to lose all the advantages of using it. – MrSynAckSter Mar 01 '18 at 19:50
  • 1
    You literally said that your goal is to "lock down access to a single i.p". The solution I posted provides that requirement, along with keeping the performance and resiliency advantages of using S3. If you don't want end users to directly request S3, then of course you are going to need a proxy/s3fs and the substantial overhead of that. – Brennen Smith Mar 01 '18 at 20:02
  • Right and the entire thrust of the question is: How may I proxy it most efficiently? I'm not asking how to implement an I.P whitelist, I am asking how to prevent users from directly interacting with my bucket without sacrificing performance. – MrSynAckSter Mar 02 '18 at 16:47
  • 1
    A proxy will, pretty much by definition, sacrifice performance. It's adding extra steps to the request. The premise of your question is entirely odd. – ceejayoz Mar 03 '18 at 03:54
  • The question is how to *minimally* sacrifice performance. Many questions on this site address similar rock and a hard place questions. Your objections are entirely odd and not constructive at all. – MrSynAckSter Mar 05 '18 at 19:08
  • If you want to proxy it, proxy it, and take the resulting performance hit. – ceejayoz Mar 05 '18 at 20:29
  • 1
    Overall, to to answer your question about minimizing it - find a CDN provider who has the sufficient diversity, pricing, and bandwidth to meet your needs, and can hide headers (S3 adds some). This ensures that the origin is hidden, and is still geographically diverse rather than a SPOF. But as ceejayoz has said, there's no silver bullet, just a question of how much latency/performance hit you're willing to take. – Brennen Smith Mar 05 '18 at 20:38
  • 1
    One other point - if you are worried about exposing your S3 bucket to the internet, you have a seriously flawed threat/security model. However if you are trying to hide from DCMA takedown requests or other legal ramifications - then hypothetically, I suppose a proxy is the right approach? – Brennen Smith Mar 05 '18 at 20:40