Assume that we want to create a bucket called foo.mydomain.com, and you have already mydomain.com
1. Create the bucket.
- go to AWS console, s3, select the s3 region that you want.
- name the bucket foo.mydomain.com
- save and then select -> click actions-> properties
-> in properties click permissions -> add permissions add VIEW for EVERYBODY (s3 files are unguessable urls)
2. Create the CNAME
- go to dnsmadeeasy (or whoever is your dns provider)
- click on mydomain.com (recently updated domains list)
- create a cname from foo to s3.amazonaws.com. (the ending . is important)
- go to a browser and go to foo.mydomain.com
- should auto redirect to the same place as foo.mydomain.com.s3.amazonaws.com
- should produces access denied (no public list access)
3. Create the User
- go to the AWS console -> IAM
- click users -> create user, pick name = foo, click show credentials copy and store access key and secret somewhere
- click users -> click foo -> click Permissions tab -> click add policy -> click custom policy ,
- paste the policy below - -named foo
{
"Statement":[
{
"Action":"s3:*",
"Effect":"Allow",
"Resource":[
"arn:aws:s3:::foo.mydomain.com",
"arn:aws:s3:::foo.mydomain.com/*"
]
}
]
}- click users -> click red mine -> click Permissions tab -> click add policy -> click custom policy - named remindlistall (this is needed because the access request is preceded by list all…)
{
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
}
]
}
4. Test
- go to the S3 console
- upload a file,
- right click on it -> properties,
- get its link
- open incognito brower and try to go there
- (do not recall if you need to set the file's permissions to view everyone too...)