1
votes

I'm setting a public S3-based website and I want to deny direct access to my s3 bucket for the users beyond my CloudFront distribution. At the same time I want to be able to directly access s3 content by myself (admin). Also I would like to allow CodeBuild Service to Access the same bucket.

Amazon suggests to "add a bucket policy that allows s3:GetObject permission with a condition, using the aws:referer key, that the get request must originate from specific webpages.":

https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-4

But if I add an Explicit Deny part:

{
        "Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::examplebucket/*",
        "Condition": {
          "StringNotLike": {"aws:Referer": ["http://www.example.com/*","http://example.com/*"]}
}

I'm loosing the opportunity for myself to upload files directly to the s3 bucket, also CodeBuild Service will not be able to do anything with my bucket as well.

How can I implement Conditions in my bucket policy in oder to deny access:

ONLY IF 

("StringNotLike": {"aws:Referer": "https://www.example.com"})
OR
("StringNotLike": {"aws:userid": "my root user id"})
OR
(my bucket is not requested by CodeBuild Service)
1

1 Answers

1
votes

By default, there is no access to objects stored in Amazon S3. Therefore, you should grant access via Allow permissions. Anything not Allowed is thus denied.

  • Add a Bucket Policy that permits action via the CloudFront Origin Access Identity
  • CodeBuild appears to use permissions of the IAM User that is using CodeBuild, so assign the permissions to those IAM Users (I looked at the documentation and it didn't mention the use of service-linked roles, but I might be wrong here)
  • To allow you to the bucket, add permissions to your IAM User

None of the above requires the use of a Deny policy.

See: Restricting Access to Amazon S3 Content by Using an Origin Access Identity - Amazon CloudFront