Using Mountain Duck with S3
There is a lovely product called Mountain Duck which allows the use of various cloud storage providers as local storage, and also allows the publication of resources to URLs in some cases. It’s a great tool, and works like a charm. That said, setting up S3 privileges can be less than simple, and limiting the amount of damage if someone gets ahold of a credential is tricky.
Below is a policy (role policy for AWS IAM) that can be bound to an AWS IAM User, and allow the use of a shared bucket without the fear of your entire AWS S3 bucket structure being compromised.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudfrontListDist",
"Effect": "Allow",
"Action": "cloudfront:ListDistributions",
"Resource": "*"
},
{
"Sid": "AllowBucketListing",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Sid": "AllowFileAccess",
"Effect": "Allow",
"Action": [
"s3:List*",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:PutObject",
"s3:DeleteObject",
"s3:GetObjectVersionTagging",
"s3:GetObjectAttributes",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetObjectVersionAttributes",
"s3:GetObjectVersion",
"s3:PutObjectAcl",
"s3:PutObjectVersionAcl"
],
"Resource": [
"arn:aws:s3:::YOURBUCKETNAME",
"arn:aws:s3:::YOURBUCKETNAME/*"
]
}
]
}
This policy does NOT allow for the publication of files using CloudFront. You can enumerate things, but not publish them. This is in order to limit cost exposure. I also recommend setting a billing alert for all AWS resources so you never get a nasty surprise.
Hope this helps. Good luck, and good night…
Leave a Reply