AWS S3 Bucket – Secure File Sharing

In this blog post, we will create s3 bucket with a policy that only allow us to connect to a specific folder in the bucket and from specific ip.

The Main Advantages of this service:

  • Unlimited storage
  • Low Cost
  • Ability to transfer data to Cold/Archive Storage
  • Limit Access by IP and Folder
  • Have backup/redundancy
  • Can be created in any region.

Disadvantages

  • Hard to manage Users
  • Need basic knowledge with JSON and AWS
  • Limited to specific sftp client that support S3 Buckets

Lets Start,first lets create S3 Bucket

To create a bucket

  1. Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
  2. Choose Create bucket.
  3. In Bucket name, enter a DNS-compliant name for your bucket. The bucket name must:
    • Be unique across all of Amazon S3.
    • Be between 3 and 63 characters long.
    • Not contain uppercase characters.
    • Start with a lowercase letter or number.After you create the bucket, you can’t change its name. For information about naming buckets, see Rules for bucket naming in the Amazon Simple Storage Service Developer Guide. Important Avoid including sensitive information, such as account numbers, in the bucket name. The bucket name is visible in the URLs that point to the objects in the bucket.
  4. In Region, choose the AWS Region where you want the bucket to reside. Choose a Region close to you to minimize latency and costs and address regulatory requirements. Objects stored in a Region never leave that Region unless you explicitly transfer them to another Region. For a list of Amazon S3 AWS Regions, see AWS service endpoints in the Amazon Web Services General Reference.
  5. In Bucket settings for Block Public Access, choose the Block Public Access settings that you want to apply to the bucket. (Please leave all settings enabled )
  6. After you successfully created a bucket Lets enter to the bucket and create Home Folder and inside the Home Folder we will create 2 more folder 1 in the name Devops and the second IT.

Now lets Create the IAM Policy

To create your own IAM policy

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. Choose Policies, and then choose Create Policy. If a Get Started button appears, choose it, and then choose Create Policy.
  3. In the create policy select the JSON Tab and paste this code. (Don’t forget to change the <Bucketname> and <YourpublicIP> in the JSON file to your actual bucket and your public ip where you coming from)
  4. Click on Review Policy give the policy a name and click on Create Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowUsersToAccessFolder2Only",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject*",
                "s3:PutObject*"
            ],
            "Resource": [
                "arn:aws:s3:::<Bucketname>/Home/Devops/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<Bucketname>"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "Home/Devops/**"
                    ]
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": "*",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "<YourpublicIP>"
                    ]
                },
                "Bool": {
                    "aws:ViaAWSService": "false"
                }
            }
        }
    ]
}

After we created the policy lets create a IAM User and attached to him the new policy that we just created.

Creating IAM users (console)

You can use the AWS Management Console to create IAM users.

To create one or more IAM users (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
  2. In the navigation pane, choose Users and then choose Add user.
  3. Type the user name for the new user.
  4. Select the type of access this set of users will have. We will select programmatic access

Type the name of the policy that you previously created

Click next and Create A user.

Save the access key ID and secret access key in a secure location we will use it to connect to our bucket.

Thats it!! Lets now connect to our S3 Bucket

  1. Download Winscp
  2. File Protocol – Amazon S3
  3. Click on advance and put the remote directory
  4. Enter the key ID and Access key and click login

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.