CODEWITHSUNDEEP
amazon-web-servicesamazon-s3permissionsbucket
Muhammad Zeeshan
Muhammad Zeeshan

Reputation: 490

User level permissions on Amazon s3 on Public read URL

I have uploaded few files on Amazon s3 with CannedChannelList as PublicRead. Remember only this file has public read permissions, not the whole bucket or folder. And user will be able to access that file using given URL. But here is one security concern which is user can manipulate that given URL to access other files in the same or different folder. Is there any way that user will need to send some authentication key while hitting that URL, while reading the file and how can I let users know which authentication key they have to use? I've read about IAM users but that is for uploading file and all that. I just want some authentication while reading data using URL.

Data was uploaded by single admin user, however, all users sent data to my server and I am using single admin user for uploading all of those on S3.

This is the policy I am using for admin user.

if(isBucketExist(bucketName)){
                Statement allowPublicReadStatement = new     Statement(Statement.Effect.Allow) 
                        .withPrincipals(Principal.AllUsers) 
                        .withActions(S3Actions.GetObject)
                        .withResources(new S3ObjectResource(bucketName, "*"));
Policy policy = new Policy()
                        .withStatements(allowPublicReadStatement
                                                        );
amazonS3.setBucketPolicy(bucketName, policy.toJson());
            }

And this is the CannedChannelList while uploading data

InitiateMultipartUploadRequest(bucketName, folderName).withCannedACL(CannedAccessControlList.PublicRead);

Upvotes: 0

Views: 469

Answers (1)

Murphy
Murphy

Reputation: 556

Have you tried using the "s3:GetObject" action on a IAM policy and then you can specify the resource arn like "arn:aws:s3:::examplebucket/*" or any specific prefix you want the users to have read access to.

An example of IAM policy would be like:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowListingOfS3",
        "Action": [
            "s3:ListBucket"
        ],
        "Effect": "Allow",
        "Resource": [
            "arn:aws:s3:::bucket-name"
        ],
        "Condition": {
            "StringLike": {
                "s3:prefix": [
                    "folder/sub-folder/*"
                ]
            }
        }
    },
    {
        "Sid": "AllowAllS3ActionsInFolder",
        "Effect": "Allow",
        "Action": [
            "s3:GetObject"
        ],
        "Resource": [
            "arn:aws:s3:::bucket-name/folder/sub-folder/*"
        ]
    }
]
}

Upvotes: 1

Related Questions