krishnasrinivas

Service Side Encryption (SSE) in AWS S3:

Three types of SSE supported.

• SSE-C - client provides data encryption key for every get/put object calls. AWS S3 does not store client provided data encryption key. Client provided data encryption key may be generated by AWS KMS for every get/put object calls. It is user responsibility to securely save/map data encryption keys generated by KMS and AWS S3 does not store any data encryption key.
• SSE-S3 - client does not provide any encryption key for any get/put object calls. AWS S3 uses one single key (generated at first time) to encrypt/decrypt objects. Accordingly AWS docs, this key is stored along with object data.
• SSE-KMS - client provides Customer Master Key (CMK) for any get/put object calls. AWS S3 uses client's provided CMK to generate data keys using KMS to encrypt/decrypt objects. This data key is encrypted using KMS and is stored along with object data.

Below bucket policy prevents uploading unencrypted objects (even by owner/auth user).

• S

krishnasrinivas

Bucket Policy

Bucket policy is an access policy available for you to grant anonymous permissions to your Minio resources. Bucket policy uses JSON-based access policy language.

This section presents a few examples of typical use cases for bucket policies. The policies use testbucket strings in the resource value. To test these policies, you need to replace these strings with your bucket name. For more information please read Amazon S3 access policy language

Granting Read-Only Permission to an Anonymous User

The following example policy grants the s3:GetObject permission to any public anonymous users. This permission allows anyone to read the object data under testbucket, which is useful for when you have publicly readable assets. A typical example is a website assets stored in testbucket.

krishnasrinivas

Minio Management REST API

Management APIs implement remote administrative operations over HTTP/REST. This guide is intended for SDK developers of package like madmin. If you are an enduser please take a look at mc admin CLI interface.

Authentication

• All requests should be signed using AWS Signature Version V4

FEEDBACK: We can use simpler JSON webtoken for Auth just like how minio-browser does. Tokens are a standard way of auth for REST APIs.

• us-east-1 should be used in signing

krishnasrinivas

import (
        "os"
        "syscall"
        "unsafe"
)

// data from kernel headers

const (
        DT_UNKNOWN = 0

krishnasrinivas

AWS S3 bucket policy recipes

• Anonymous GET access
• Anonymous GET access - match HTTP referrer
• Full access for specific IAM user/role
• Put/delete access to specific path within a bucket
• List/put/delete access to specific path within a bucket
• Full access (and S3 console) for specific IAM users

Anonymous GET access

Type: bucket

krishnasrinivas

// Use Gists to store code you would like to remember later on
console.log(window); // log the "window" object to the console