13 November 2012

This ACL is a proof of concept for implementing bucket security that would avoid the complexity of signing the requests when it is inconvenient (e.g., BASH or other lightweight toolkit). The bucket permissions simply restrict using User-Agent to speed up access.

{
	"Version": "2008-10-17",
	"Id": "Policy1346872753787",
	"Statement": [
		{
			"Sid": "Stmt1346872639315",
			"Effect": "Allow",
			"Principal": {
				"AWS": "*"
			},
			"Action": "s3:GetObject",
			"Resource": "arn:aws:s3:::bucketname.example.com/*",
			"Condition": {
				"StringEquals": {
					"aws:UserAgent": "long-random-string-for-authentication"
				}
			}
		}
	]
}

For example, this allows a shell script to access this using a very simple cURL command:

curl -A long-random-string-for-authentication http://bucketname.example.com/object-key

This method has an element of security-by-obscurity such that it is important to protect each request. Thus, accessing S3 over HTTPS would be important, as would periodically rotating the random strings.

Addendum: Benchmarking

Apache benchmark (ab2) supports the user agent via the -H flag:

ab -k -c 10 -n 200 -e ab_$i.csv -H 'User-Agent: quicktest' '$url'

The above command was run for a basic benchmark of this method. Although results would likely vary significantly based on file size and other factors, there was very little evidence of a performance difference between this method and signing your requests.

Technologies:


blog comments powered by Disqus