Securing Access to S3 Objects for Your External Website

Most Secure Access to S3 Objects for Your External Website

Question

Your company has an external web site.

This website needs to access the objects in an S3 bucket.

Which of the following would allow the website to access the objects most securely?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because granting public access is not a secure way to provide specific access to the external website.

Public access will allow anybody from the internet to access the S3 bucket objects.

Option B is CORRECT because to allow read access to these objects from your website, you can add a bucket policy that allows s3: GetObject operation with a condition, using the aws: referer key, that the get request must originate from specific webpages.

Option C is incorrect because aws: sites is not a valid condition key applied to a bucket policy.

Option D is incorrect because IAM roles are assigned to AWS services and not to the external websites.

{

"Version":"2012-10-17",

"Id":"http referer policy example",

"Statement":[

{

"Sid":"Allow get requests originating from www.example.com and example.com.",

"Effect":"Allow",

"Principal":"*",

"Action":["s3:GetObject","s3:GetObjectVersion"],

"Resource":"arn:aws:s3:::awsexamplebucket1/*",

"Condition":{

"StringLike":{"aws:Referer":["http://www.example.com/*","http://example.com/*"]}

}

}

]

}

For more information on example bucket policies, kindly refer to the following URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

The most secure way for a website to access objects in an S3 bucket would be option D, "Grant a role that can be assumed by the website."

Explanation: A. Granting public access for the bucket via the bucket policy is not secure as it allows anyone to access the objects in the bucket. This option would violate the principle of least privilege and would expose your data to the public internet. This option should be avoided. B. Using the aws:Referer key in the condition clause for the bucket policy restricts access based on the referring domain of the request. However, it is not a recommended solution as the referer header can be easily spoofed, which makes it susceptible to attacks. C. Using the aws:sites key in the condition clause for the bucket policy restricts access based on the domain name of the request. However, this option is not recommended as it also has limitations like the referer header, and it requires the website owner to have full control over the domain. D. Granting a role that can be assumed by the website is the most secure option, as it allows the website to access the objects in the S3 bucket with specific permissions granted to the role. The website can assume the role and access the objects securely without exposing any sensitive data to the public internet.

In conclusion, option D is the best and most secure solution, and it follows the principle of least privilege.