0

I have an S3 bucket that I want to restrict access to on the basis of how old the credentials used to access it are. For example if the token used to access the bucket is greater than X days old, I want to deny access. How can I achieve this? Something like this policy -

{
  "Version": "2012-10-17",
  "Statement":        {
            "Sid": "RejectLongTermCredentials",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::${bucket}“,
                "arn:aws:s3:::${bucket}/*”
            ],
            "Condition": {
                aws:TokenIssueTime > 90 days
            }
        }
}

Is there a way to calculate the age of a token? Any help would be appreciated!

VBoi
  • 349
  • 5
  • 21
  • The above policy is used to prevent a previously-issued token from working now (since it is not possible to "deactivate" a token until it naturally times-out). Can you please edit your question to explain your actual use-case? That is, please explain your architecture and what you are trying to achieve as an end-goal. – John Rotenstein Apr 26 '20 at 06:05
  • I've edited it the best I can. I think it explains the use case well. – VBoi Apr 26 '20 at 16:57
  • You state that "I have an S3 bucket that I want to restrict access to on the basis of how old the credentials used to access it are", but you don't explain _WHY_ you wish to do this. If you provide us the full details of what you are trying to accomplish, we can probably provide an alternative (such as the use of pre-signed URLs). Please tell us _why_ you are wanting to do this and _what_ your end-goal is, rather than _how_ you wish to accomplish it. – John Rotenstein Apr 26 '20 at 22:23

1 Answers1

1

What you are describing sounds very similar to Amazon S3 pre-signed URLs.

A pre-signed URL provides time-limited access to a private object.

Imagine a photo-sharing app. It would work like this:

  • All photos are kept in private Amazon S3 buckets
  • A user authenticates to the app
  • When a user wishes to view a private photo (or the app generates an HTML page that links to a photo, using <img> tags), the app will:
    • Verify that the user is entitled to view that photo
    • If they are, the app generates a pre-signed URL, which includes an expiry period (eg 5 minutes)
  • When the user's browser access the pre-signed URL, Amazon S3 verifies the URL and checks that it is within the expiry period:
    • If it is, then the private object is private object is returned
    • If it is not, then the user receives an Access Denied error

It only takes a couple of lines of code to generate a pre-signed URL and it does not require an API call to S3.

In difference to your question, the above process does not require the use of Security Token Service (STS) tokens (which need to be linked to IAM Users or IAM Roles). It is designed to be used for applications rather than IAM Users.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470