S3 and IAM policy and configuration setup

aws-s3-and-iam-policies.md

Following is the CORS configuration that goes under Bucket > Permissions

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

Following is the IAM user's access policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:PutObject",
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        },
        {
            "Effect": "Deny",
            "NotAction": "s3:*",
            "NotResource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ]
        }
    ]
}

Following is the policy applied on S3 bucket

{
    "Version": "2012-10-17",
    "Id": "Policy1572334574521",
    "Statement": [
        {
            "Sid": "Stmt1572334569434",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::759397613179:user/IAM_USER"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalArn": "arn:aws:iam::759397613179:user/IAM_USER"
                }
            }
        }
    ]
}

Output is as following:

1. The API ID + Secret pair of the IAM user should be able to access the specified S3 bucket, and NO OTHER bucket
2. The S3 bucket should be able to receive requests from the specified IAM user, and from NOT OTHER user
3. The objects in the bucket could be "Put" (saved) or "Get" (retrieved) and nothing else. No DELETE operation are permitted.

All objects(files) should be private by default unless something is specifically required to have public access, like images or files that are supposed to go in emails, with previews.

If the files are supposed to be linked (and not previewed) then the link should take the user to a URL that would (optionally, internally redirect to a location that) let the user preview or download the said file using signed URL.

The API key ID and SECRET pair MUST NOT be made accessible to front-end applications - neither web-based apps (React.JS/Vue etc) nor mobile apps (React Native, Swift/Java etc).

The secret keys MUST stay at the server end only, and should be used by client-end (front-end) apps (web/mobile) to get signed/pre-signed URLs to access or save files to S3 - but never store the API keys

New/JSON CORS

[{
  "AllowedHeaders": [],
  "AllowedMethods": [
      "GET",
      "POST"
  ],
  "AllowedOrigins": [
      "*"
  ],
  "ExposeHeaders": []
}]