Now that we have mostly recovered from the awesomeness of re:invent, Christmas, and New Year’s. Time to get back to the world of all things Cloud. To harken the New Year thought I would start it off with a magic trick – OK not really magic but a neat S3 Bucket Policy trick.
Let me set the stage, say you have a scenario where you want to allow someone to grab a file form your S3 bucket and you don’t want to hand out a pre-signed URL (because you don’t know who else may get it) nor create IAM user/keys. I have one sly option for you – use a bucket policy and a shared secret via IAM condition aws:UserAgent. That coupled with some other AWS wide conditions makes for some interesting options.
Below policy allows anyone (“Principal”: ”*”) to get a file (s3:GetObject) if they pass the correct userAgent, comes from a specific IP, and does it before the New Year.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::new-years-party-invite/*",
"Condition": {
"StringEquals": {"aws:UserAgent": "38a1efdae4c283bfd04be248e2ebab18a1258cf814d3e920105ae127e465aeab"},
"IpAddress": {"aws:SourceIp":"71.178.184.6/32"},
"DateLessThan": {"aws:CurrentTime": "2019-01-01T00:00:00Z"}
}
}
}
On the user end – they could simply use curl like this:
curl -A "38a1efdae4c283bfd04be248e2ebab18a1258cf814d3e920105ae127e465aeab" https://s3.us-east-1.amazonaws.com/new-years-party-invite/private.invite -O
This example is really meant to show that AWS’ permission system can be used in creative ways. I don’t propose this S3 trick to be the most secure, but it does show you that some creativity can be thrown
By Gabriel Alix