Digital Age Experts, LLC

An S3 Magic Trick

Now that we have mostly recovered from the awesomeness of re:invent, Christmas, and New Year’s. Time to get back to the world of all things Cloud. To harken the New Year thought I would start it off with a magic trick – OK not really magic but a neat S3 Bucket Policy trick.

Let me set the stage, say you have a scenario where you want to allow someone to grab a file form your S3 bucket and you don’t want to hand out a pre-signed URL (because you don’t know who else may get it) nor create IAM user/keys. I have one sly option for you – use a bucket policy and a shared secret via IAM condition aws:UserAgent. That coupled with some other AWS wide conditions makes for some interesting options.

Below policy allows anyone (“Principal”: ”*”) to get a file (s3:GetObject) if they pass the correct  userAgent, comes from a specific IP, and does it before the New Year.  

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": "*",    
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::new-years-party-invite/*",
    "Condition": {
        "StringEquals": {"aws:UserAgent": "38a1efdae4c283bfd04be248e2ebab18a1258cf814d3e920105ae127e465aeab"},
        "IpAddress": {"aws:SourceIp":"71.178.184.6/32"},
        "DateLessThan": {"aws:CurrentTime": "2019-01-01T00:00:00Z"}
        }
  }
}

On the user end – they could simply use curl like this:

curl -A "38a1efdae4c283bfd04be248e2ebab18a1258cf814d3e920105ae127e465aeab" https://s3.us-east-1.amazonaws.com/new-years-party-invite/private.invite -O

This example is really meant to show that AWS’ permission system can be used in creative ways. I don’t propose this S3 trick to be the most secure, but it does show you that some creativity can be thrown in to your policy creations to solve interesting problems.

By Gabriel Alix

Leave a Reply

Close Menu