AWS S3 Bucket Policies

  1. By default, an s3 bucket is private.
  2. This ensures privacy and ownership, but isn't helpful to your team members or to hosting content for a website.
  3. Once you have signed in, you can find see your AWS S3 buckets here.
  4. Choose one of them and the click on the Permissions tab and then click on choose Bucket Policies.
  5. Here is a link to example bucket policies from the Official Documentation.

Access for IAM users

  1. To provide access to IAM users, use a statement like this, replacing <user name> with rest of the user ARN and <bucket name> with the rest of the s3 bucket ARN:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Grant users full access",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<user name 1>:root",
          "arn:aws:iam::<user name 2>:root"
        ]
      },
      "Action": [
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:PutObjectAcl"          
      ],
      "Resource": [
        "arn:aws:s3:::<bucket name>",
        "arn:aws:s3:::<bucket name>/*"
      ]
    }
  ]
}

CloudFront access

  1. Sign in and go to AWS CloudFront.
  2. Click on "Security --> Origin access identity"
    1. If the list is empty then click "Create Origin Access Identity" and write a comment like "OAI for my bucket"
  3. In the "Amazon S3 Canonical User ID" column, click on the 64-digit-alphanumeric-value and copy it to the clipboard.
  4. To provide access to CloudFront, use a statement like this, replacing <64-digit-alphanumeric-value> with one in the clipboard and the <bucket name> with the rest of the s3 bucket ARN:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Grant a CloudFront Origin Identity access to support private content",
      "Effect": "Allow",
      "Principal": {
        "CanonicalUser": "<64-digit-alphanumeric-value>"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket name>",
        "arn:aws:s3:::<bucket name>/*"
      ]
    }
  ]
}

Public read only access

  1. To provide public readonly access:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Grant PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::unusualreality.com",
        "arn:aws:s3:::unusualreality.com/*"
      ]
    }
  ]
}

Multiple Policies

  1. Note that "Statement" is an array, and can include multiple policies, for example:
    1. One for IAM users,
    2. Another for CloudFront access
    3. And one more for public read only access
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Grant users full access",
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::<user name 1>:root",
          "arn:aws:iam::<user name 2>:root"
        ]
      },
      "Action": [
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketLocation",
        "s3:PutObject",
        "s3:PutObjectAcl"          
      ],
      "Resource": [
        "arn:aws:s3:::<bucket name>",
        "arn:aws:s3:::<bucket name>/*"
      ]
    },
    {
      "Sid": "Grant a CloudFront Origin Identity access to support private content",
      "Effect": "Allow",
      "Principal": {
        "CanonicalUser": "<64-digit-alphanumeric-value>"
      },
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::<bucket name>",
        "arn:aws:s3:::<bucket name>/*"
      ]
    },
    {
      "Sid": "Grant PublicReadGetObject",
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::unusualreality.com",
        "arn:aws:s3:::unusualreality.com/*"
      ]
    }
  ]
}

CORS Policies

  1. By default, no "CORS configuration policies" are present, so add one similar to this:
{
    <CORSConfiguration>
        <CORSRule>
            <AllowedOrigin>https://unusualreality.com</AllowedOrigin>
            <AllowedOrigin>http://unusualreality.com</AllowedOrigin>
            <AllowedMethod>GET</AllowedMethod>
            <AllowedMethod>HEAD</AllowedMethod>
            <MaxAgeSeconds>3000</MaxAgeSeconds>
            <AllowedHeader>Authorizatin</AllowedHeader>
        </CORSRule>
    </CORSConfiguration>
}

CORS Origin Header

  1. Sign in and go to AWS CloudFront.
  2. Select the "Distribution" that you want to point toward the CORS Origin Header and click "Distribution Settings"
  3. Go to the "Behaviors" tab, select the Behavior and click "Edit"
  4. In "Cache Based on Selected Request Headers" change the setting to "Whitelist"
  5. If it does not already exist, add "Origin" is added to the whitelisted box.