Services Plugins FAQs

AWS Any File Uploader - S3 Bucket Policy

Plugins
#1

Hello there,

I am new to AWS but I want to ensure maximum security for our S3 bucket when using the AWS S3 uploader.

When following the documentation, I don’t really understand why they added the statement with the id “AddPerm”.

From my understanding, statement “AddPerm2” will always evaluate to true and therefore this policy will always apply.

And did I understand that correctly that the bucket policies is checked first and then the CORS or can you not relate those two in such a way. So my question is what the use case is for “AddPerm”?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",            
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://zeroqode-demo-02.bubbleapps.io/*"
                }
            }
        },
        {
            "Sid": "AddPerm2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
        }
    ]
}

Any help is very much appreciated!

Best
Annabell

#2

Hello, @annabell
Thanks for your question.

Please note that “AddPerm” is not something that should be changed by the user. For the correct plugin performance and easier plugin configuration, we recommend using this JSON code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",            
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://zeroqode-demo-02.bubbleapps.io/*"
                }
            }
        },
        {
            "Sid": "AddPerm2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
        }
    ]
}

Through “AddPerm” you allow the plugin access to your bucket, which is an obligatory part of the plugin performance.

These points are not related in that way, but Access Control, Bucket Policy, and CORS policy are used for basic security restrictions.
The code, provided above, is used for the Bucket Policy. In the ‘Bucket Policy’ area you can configure the rules for security and privacy via Bucket Policy. Take a look at the “Action”, “Resource” and “Condition” fields where we grant access to reading the objects from our bucket.
In this case, we are granting read file access only to users from our application domain, so if a user gets an image URL and tries to open it in a new tab or a new window, the bucket policy will block this request because we stated in the privacy rules that the link can be opened only from our domain.

I highly recommend you just use our documentation for configuring the plugin. It is really very detailed and we describe everything you need to know to start using this plugin and AWS storage.

Best regards,

#3

This is an example of an AWS S3 bucket policy. It has two statements:
The first statement with the Sid “AddPerm” allows read access to the S3 bucket objects for all users that access the objects from a specific website domain (in this case, “https://zeroqode-demo-02.bubbleapps.io/*”). This statement uses the “s3:GetObject” action and applies the condition that the request must come from a specific website domain.

The second statement with the Sid “AddPerm2” allows all actions on all objects in the S3 bucket for all users. This statement applies to all actions and resources in the S3 bucket.

#4

@Ecaterina , @Ecaterina Thank you for your answers! :slight_smile:

To me, allowing all users access to all resources in my bucket through “AddPerm2” seems a bit dangerous. Can I at least specify that the request for performing the actions on my bucket objects must come from a my website domain like in “AddPerm”?
And shouldnt I replace the aws:Referer in “AddPerm” with https://mydomain.bubbleapps.io In the documentation it only said that one should replace the bucket name…

Many thanks :slight_smile:

#5

Hello, @annabell. Apologies for the delayed reply.

You have to replace not the “AddPerm” parameter, but the URL of the Zeroqode demo:

image
image1372×886 73.4 KB

Hope it helps.