AWS bucket permissions question

tablaFreak
tablaFreak used Ask the Experts™
on
Hi - Can anyone share how to provide access to files from a given SSL URL on AWS Amazon Cloud Server (S3)? My bucket permissions work fine on an unsecured connection, but not on a SSL. Here's what I've got for permissions:

{
	"Version": "2012-10-17",
	"Id": "http referer policy",
	"Statement": [
		{
			"Sid": "Allow get requests referred by www.example.com and example.com.",
			"Effect": "Allow",
			"Principal": "*",
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::wellsource/*",
			"Condition": {
				"StringLike": {
					"aws:Referer": [
						"http://zzzz.com/*",
						"http://xxxx.com/*",
						"http://www.zzzz.com/*",
						"https://console.aws.amazon.com/*",
						"http://www.xxxx.com/*"
					]
				}
			}
		},
		{
			"Sid": "Explicit deny to ensure requests are allowed only from specific referer.",
			"Effect": "Deny",
			"Principal": "*",
			"Action": [
				"s3:DeleteObject",
				"s3:GetObject"
			],
			"Resource": "arn:aws:s3:::wellsource/*",
			"Condition": {
				"StringNotLike": {
					"aws:Referer": [
						"http://zzzz.com/*",
						"http://xxxx.com/*",
						"http://www.zzzz.com/*",
						"https://console.aws.amazon.com/*",
						"http://www.xxxx.com/*"
					]
				}
			}
		}
	]
}

Open in new window


Thanks,
Steve
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
AWS Content Lead at Cloud Academy
Most Valuable Expert 2015
Top Expert 2015
Commented:
Hi,

I've not tried to do this myself, but is your S3 Bucket configured for SSL?

Just found this blog post regarding configuring S3 buckets for SSL connections, its a little old but it may help point you in the right direction:
http://stackoverflow.com/questions/11201316/how-to-configure-ssl-for-amazon-s3-bucket

You could also look at using CloudFront to handle this for you too:
https://bryce.fisher-fleig.org/blog/setting-up-ssl-on-aws-cloudfront-and-s3/
http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html

Cheers,

Stu...
Your bucket is accessible via 3 different methods.

As a subdomain on s3.amazonaws.com
http://mybucketname.s3.amazonaws.com/

As a subfolder in s3.amazonaws.com
http://s3.amazonaws.com/mybucketname/

And finally, only if your bucket has a name that is a valid FQDN in your domain, you can create a CNAME in your DNS pointing this FQDN to S3 like this:

mybucket.mydomain.com  CNAME mybucket.mydomain.com.s3.amazonaws.com

However, you cannot install your own certificate on S3.
So for SSL access you are limited to the first 2 options, BUT only if your bucket has no dots in its name.

If you really want to use SSL like in httpS://mybucket.mydomain.com  then you must place a CDN or a reverse proxy between S3 and your users. Cloudfront is an option, but any CDN that supports custom SSL will do the job.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial