Hey everyone! I'm currently setting up a static website using S3, but I've accidentally gotten some of my AWS concepts mixed up. I initially thought that S3 could assume roles to access other AWS resources, but I realize now that's not quite right. Basically, for my development phase, I've been using a pretty risky setup for reading from a specific bucket. Here's what's been happening:
1. I created an IAM User just for S3 read access.
2. I've set a policy that allows reading from that bucket.
3. My credentials are stored in the JavaScript configuration of my website (I know, I know, not smart).
4. I've restricted the user so they can only read from the bucket on a designated domain, meaning a malicious actor would need to do some spoofing to get in.
The content in these buckets is visible on the site, but just to clarify, the bucket itself isn't public—there's no sensitive personal info involved, just general content.
For limited write access to an API Gateway, I'm considering a setup where I have another bucket containing API credentials and the API Gateway URL. The initial read-only user would access these credentials, but users have to guess the bucket name. This is risky, and I plan to transition to Cognito for write access, mainly to tidy things up and improve security. The write webpage requires a passphrase to unlock, which checks for an existing bucket, adding another layer of security. I'm just worried about the potential weakness in this brute force method. I'd love to hear thoughts on all this!
1 Answer
Honestly, going this route with AWS is asking for trouble. It sounds like you're implementing several anti-patterns in your approach. Instead of trying to manage complex access controls, look into using CloudFront for your static assets; you shouldn't need direct credentials for users to access those. Plus, if your credentials leak, you’re in big trouble. You really should consider using Cognito for managing any API writes as it's more secure.
Wow, thanks for the insight! I might try storing data files in the main S3 bucket and just reference them normally. I didn't realize that was an option after migrating from Firebase!