Using Mountain Duck with S3

There is a lovely product called Mountain Duck which allows the use of various cloud storage providers as local storage, and also allows the publication of resources to URLs in some cases. It’s a great tool, and works like a charm. That said, setting up S3 privileges can be less than simple, and limiting the amount of damage if someone gets ahold of a credential is tricky.

Below is a policy (role policy for AWS IAM) that can be bound to an AWS IAM User, and allow the use of a shared bucket without the fear of your entire AWS S3 bucket structure being compromised.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowCloudfrontListDist",
            "Effect": "Allow",
            "Action": "cloudfront:ListDistributions",
            "Resource": "*"
        },
        {
            "Sid": "AllowBucketListing",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*"
            ]
        },
        {
            "Sid": "AllowFileAccess",
            "Effect": "Allow",
            "Action": [
                "s3:List*",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:GetObjectVersionTagging",
                "s3:GetObjectAttributes",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersionAttributes",
                "s3:GetObjectVersion",
                "s3:PutObjectAcl",
                "s3:PutObjectVersionAcl"
            ],
            "Resource": [
                "arn:aws:s3:::YOURBUCKETNAME",
                "arn:aws:s3:::YOURBUCKETNAME/*"
            ]
        }
    ]
}

This policy does NOT allow for the publication of files using CloudFront. You can enumerate things, but not publish them. This is in order to limit cost exposure. I also recommend setting a billing alert for all AWS resources so you never get a nasty surprise.

Hope this helps. Good luck, and good night…

mm
About

Phorkus is just this guy...

Leave a Reply

Your email address will not be published.

*