How can I make sure I fully secured my AWS S3 Bucket?

Question

I am trying to make sure I have my S3 bucket secure. I need to allow some sort of public access due to my website displays the images that are uploaded to my S3 bucket.

My Public Access settings look sleek this:

I then set up my Cross-origin resource sharing (CORS) to look like this:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST"
        ],
        "AllowedOrigins": [
            "https://example.com",
            "https://www.example.com"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]

And my S3 ACLs look like this:

After doing this my images are still visible on my website hosted on AWS. My question here is am I missing anything?

I don't think I fully understand the Cross-origin resource sharing (CORS) of this. I assumed the AllowedOrigins tag would only allow the images to be viewed on my domain? So I took the address to one of my images and threw it in my web browser and it loaded. Is this correct behavior or am I misunderstanding this?

Any more suggestions on how to secure my S3 bucket? I basically just want user on my website to be able to view my images and upload images from only my site. Thanks!

Updates

For a more full view, my bucket policy is:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example.com.storage/*"
        }
    ]
}

My ACLs in S3 are configured as:

Answer 1

You asked "how to secure my S3 bucket?"

Buckets in Amazon S3 are private by default, so they are automatically 'secure'. However, you want to make the objects (eg images) accessible to users on your website, so you need to open sufficient access to permit this (as you have successfully done!).

In fact, the only elements you actually needed were:

• On "Block Public Access", allow Bucket Polices (Done!)
• Create a Bucket Policy that grants GetObject to anyone (Done!)

You only need the CORS settings if you are experiencing a particular problem, and there is no need to change the Bucket ACLs from their default values.

The bucket policy is only allowing people to download objects, and only if they know the name of the object. They are not permitted to upload objects, delete objects or even list the objects in the bucket. That's pretty secure!

Your settings are fine for publicly-accessible content that you are happy for anyone to access. If you have any personal or confidential content (eg documents, or items requiring login) then you would need an alternate way of granting access only to appropriately authorized people. However, this doesn't seem to be a requirement in your situation.

Bottom line: You are correctly configured for granting public read-only access to anyone, without providing any additional access. Looks good!

Answer 2

Amazon CloudFront (CF) is often used for serving content from S3 buckets without needing the buckets to be public. This way your website would server your images from CF, rather than directly from the bucket. CF would fetch and cache the images from the bucket privately.

The way it works is that in your bucket, you would setup a special bucket policy which would allow a CF user, called origin access identity (OAI), to access your bucket.

The use of CF and OAI to serve your images from your bucket not only keeps your bucket fully private, but also reduces load times as CF caches the images in its edge locations.

More details on this are in:

• Restricting Access to Amazon S3 Content by Using an Origin Access Identity

• Amazon S3 + Amazon CloudFront: A Match Made in the Cloud

• How do I use CloudFront to serve HTTPS requests for my Amazon S3 bucket?