General Assembly Logo

Simple Storage Service on Amazon Web Services setup

Instructions

Fork and clone this repository.

Read over all the instructions before proceeding.

Follow the steps outlined to create and gain programatic access to an AWS S3 bucket.

Prerequisites

  • An AWS (Amazon Web Services) account

If you do not have an account, open AWS and click Sign In to the Console. Amazon provides a free tier, with some limitations, for twelve months after you sign-up for an AWS account.

Motivation

Storing large static files is a common need for a web application. Accepting image uploads from authorized users but allowing public read access is a frequent example.

AWS provides a variety of APIs, one of which is easily used for this purpose. This guide helps ensure access to these APIs is restricted.

Why is the important?

Using any metered API has financial risks. Using many APIs may have data risks (information loss or exposure).

Using restrictive access control with AWS ensures that even if an identity is compromised, the actual risks, financial and otherwise, are limited.

AWS S3 access control

  1. Open the AWS Consle in your browser
  2. From the AWS console open tabs for IAM (Identity and Access Management) and S3 (Simple Storage Service).

Identity and Access Management (IAM)

Identities are how we grant access to AWS APIs.

In the IAM tab:

  1. Select Users in the left sidebar.
  2. Click Create New Users near the top of the page.
  3. Enter wdi-upload into box 1..
  4. Make sure Generate an access key for each user is checked.
  5. Click Create.
  6. Click Download Credentials.
  7. Save the file credentials.csv to this repository.
  8. Click Close
  9. Click on the newly created user.
  10. Copy the User ARN (Amazon Resource Name) and save it in arn.txt.

We'll need the User ARN to grant access to an S3 bucket we'll use for uploads. We'll also need an Access Key (Access Key Id and Secret Access Key) for this IAM User to upload files via the S3 API. The Access Key is contained in credentials.csv.

Note well: credentials.csv contains secrets! Do not share them or store them in git. The .gitignore in this repository explicitly ignores this file.

Simple Storage Service (S3)

S3 stores files you upload in buckets. A bucket is a top level namespace for your files.

In the S3 tab:

  1. Click Create Bucket. This opens the Create a Bucket - Select a Bucket Name and Region modal.

  2. Enter a name in the Bucket Name box. It must be unique among all S3 buckets.

  3. Select US Standard for the Region.

  4. Click Create.

  5. Make sure the bucket and Properties are selected.

  6. Open the Permissions dropdown in the right sidebar.

  7. Click Add bucket policy near the bottom of the Permissions dropdown.

  8. At the bottom of the Bucket Policy Editor modal, click AWS Policy Generator. This opens the AWS Policy Generator page.

  9. On the AWS Policy Generator page

    1. Step 1: Select Policy Type

      1. For Select Type of Policy use S3 Bucket Policy.
    2. Step 2: Add Statement(s)

      1. Select Allow for Effect.
      2. Paste the User ARN into the Principal box.
      3. Select PutObject and PutObjectAcl for Actions.
      4. Enter arn:aws:s3:::<bucket_name>/* into the Amazon Resource Name (ARN) box.
      5. Click the Add Statement.
    3. Step 3: Generate Policy

      1. Click Generate Policy
      2. Copy the JSON from the Policy JSON Document modal.
  10. Return to the S3 tab.

  11. Paste the bucket policy into the Bucket Policy Editor modal.

  12. Click Save.

  13. Click Save in the Permissions dropdown.

You have now created and granted access to an S3 bucket.

These steps limit upload access to one bucket for the identity wdi-upload.

This is one specific and restrictive way of implementing access control. AWS provides many different mechanisms to grant and restrict access.

Example bucket policy JSON

{
  "Version": "2012-10-17",
  "Id": "Policy1439826519004",
  "Statement": [
    {
      "Sid": "Stmt1439826516658",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AWS Account Id>:user/<IAM User Name>"
      },
      "Action": [
        "s3:PutObjectAcl",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::<bucket_name>/<key_name>"
    }
  ]
}

Checklist

  • Create (or select) an AWS Identity.
  • Create and download credentials for this identity.
  • Create an S3 bucket.
  • Create a bucket policy.

Source code distributed under the MIT license. Text and other assets copyright General Assembly, Inc., all rights reserved.