A few weeks ago we had to put some hundred GBs of sensitive data (mostly large video files) in a shared space in order to keep a backup copy and deliver it to recipients. We were looking for a lot of encrypted space accessibile from everywhere with strong access control and able to log every operation. Amazon S3 seemed very interesting so we decided to try it.

When you create a new bucket you can choose to activate logging on it. Logging: OK!
Data encryption is possible during upload. Encryption: OK!
Access control on buckets isn’t so easy. You must use policies.

To define permission for a user using Amazon AWS IAM (Identity and Access Management) you have to create a group, then create one or more users and assign them to the group then choose a policy for the group.

Policies aren’t easy to define and the complete documentation is huge. They are a set of statements which define what you can and can’t do on AWS properties. Using policy below you can setup mybucket for read/write access.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads"
],
"Resource": "arn:aws:s3:::mybucket",
"Condition": {}
},
{
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectVersion",
"s3:GetObjectVersionAcl",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectAclVersion"
],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {}
},
{
"Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",      "Resource": "*",
"Condition": {}
}
]
}

The problem with the policy above is the last statement.

If you want to access to S3 space using a generic client (like a modern FTP client) you have to allow listing all your buckets┬ábecause first operation which a generic client performs is directory listing. This is a bad news because if you have a public accessible bucket, people can see all contents. Probably you don’t use S3 just to share files. Probably you use S3 as CDN (I do) and probably you don’t want to show ALL contents to others.┬áSo far I haven’t been able to find any way to fix this behavior…