Você pode ler este artigo na versão em português clicando aqui.
The objective of this article is to guide the reader step by step in creating a new bucket in AWS S3 (Simple Storage Service) and then creating a key in IAM (Identity and Access Management) allowing remote access.
What is AWS S3?
Amazon Simple Storage Service (S3) is an object storage service offered by Amazon Web Services (AWS). It provides a simple and scalable way to store and retrieve data, such as photos, videos, documents, and backups, in the cloud. Users can store an unlimited amount of data in S3 and access it securely over the internet. S3 is widely used for data backup, hosting static content for websites and web applications, file sharing, log storage, and more. It offers high durability, scalability, and availability, making it a popular choice for a variety of use cases.
Requirements
- Have an AWS account.
Accessing the AWS console.
Access the AWS console through the browser and then search for S3 in the search bar at the top of the page.
Click the "create bucket" button to start the process.
Creating a bucket
General settings
- Choose the region where your bucket will be stored. You can choose based on cost or latency. If latency is not important, prefer regions located in North America such as us-east-1 where the storage cost is lower.
- Give a name to your bucket. This name must be unique to avoid conflicts with other AWS users. You can see the rules here
Depending on the chosen region, you must choose a type for your bucket. When in doubt, choose "General Purpose."
Object properties
In this section, you can configure object properties for another AWS account. This means you can transfer the ownership of objects stored in S3 to another account, giving that account control over those objects. This can be useful in scenarios where you need to share data with partners or clients but want to maintain ownership of the objects.
The "ACLs disabled" option maintains the ownership of the objects in your account, while "ACLs enabled" allows transferring ownership to other accounts.
Blocking public access to bucket objects.
You can make access to your stored objects public.
It is recommended that you do not do this. Ideally, your applications should be implemented without the need for public access to bucket objects.
Versioning
You can enable versioning for objects. This creates a history of stored objects, allowing you, for example, to access previous versions of modified objects or recover deleted objects.
Remember that by maintaining this history, you may increase your storage cost.
Tags
Tags have various uses within the services provided by AWS. One example is cost categorization. You can create a tag with the name "department" and assign values like "marketing" or "finance" to easily identify costs related to different areas or initiatives.
Encryption
Before your objects are stored, they are encoded (transformed into an unreadable form) and can only be decoded (made readable again) with the correct key. This helps keep your data secure, even in the cloud.
You can specify a key or allow AWS to use one of its keys for encryption.
You can also enable two-layer encryption.
Advanced settings/Object Lock
Object Lock is a feature of Amazon S3 that provides an additional layer of protection for your data, helping to prevent accidental or malicious deletions or modifications to stored objects.
Object Lock can only be used on buckets with versioning enabled.
After going through all these settings, click "Create Bucket," and your new bucket is ready.
IAM
What is IAM?
IAM, or Identity and Access Management, is like a gatekeeper for your AWS account. It controls who can enter and what each person or program can do once inside. With IAM, you can create users, grant them specific permissions, and manage who has access to which resources in the AWS cloud. In summary, IAM helps keep your account secure and organized, allowing you to control who can do what.
What are we going to do?
- Create a policy that allows specific access to our new bucket.
- Create a user to associate with the new policy with an access key for use in an application.
To access the IAM dashboard, search for "IAM" in the search bar located at the top of the page.
Creating a policy
What is a policy?
A policy in IAM is the specification of the exact permissions that a user (application or resource) will have within your AWS account.
In the menu located on the left corner, click on "Policies" under "Access management."
Click on "Create Policy" to start the process.
You can create the policy in two ways:
Visually. You choose the service, and AWS lists for you each available permission for that service. This way is interesting to get to know each permission. Permissions are listed with an "info" button next to them, explaining them in detail.
With JSON. It's the best way for those who already know the permissions or are following an example.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListBucket",
"s3:DeleteObject",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::NAME_OF_BY_BUCKET/*",
"arn:aws:s3:::NAME_OF_BY_BUCKET"
]
}
]
}
After choosing which services and permissions for each service, click "next."
On the next screen, we need to give a name to our policy, we can add an optional description explaining the use of this new policy, add tags, and review the permissions added to it.
Click "Create Policy" at the bottom of the page to finish this step.
Creating a user
In the menu located on the left corner, click on "Users" under "Access management."
Click on "Create user" to start the process.
We need to provide a name for this user and decide if we want them to have access to this panel we are seeing. Since the goal is to create a user for remote access via SDK, we won't check this option.
Click "next" to proceed.
On the second screen, we'll define how to associate the user with the policy.
- Add user to group: You can create a group of policies and associate this group with various users. To exemplify, think of each group as a role within a company. Roles are assigned to people who work in them.
- Copy permissions: Allows you to choose an existing user and copy their permission settings.
- Attach policies directly: Adds the policy directly to the user. (This is our option for now).
Click "next" to proceed.
On this screen, we have a summary of the user creation process, and we can add tags.
Click "Create user" to finish.
Creating an Access Key for this user.
After saving, we'll return to the user details screen. Click on the "User name" of your new user.
Look for the "Security credentials" tab and click on it. Then scroll down to "Access keys" and click on "Create access Key."
On this screen, we inform the reason for creating the access key. AWS has other alternatives to avoid creating fixed access keys. For our case, we'll use "Application running outside AWS."
Click "next" to proceed.
We can add a description to our access key.
Click "Create access key" to proceed.
In this final step, we have our "Access key" and "Secret access key" ready for use. You can only copy the "Secret access key" on this screen. Once you leave it, it will no longer be possible to retrieve it.
After clicking "done," we return to the user details screen. Here, you can create a new "Access key," deactivate, or delete old ones.
Conclusion
AWS's S3 service allows you to store your files securely and affordably. IAM enables you to grant access to other people or applications to the resources you've created within AWS. When using a fixed "Access key," remember to keep your "Access secret key" secret so that malicious users don't exploit your resources or cause you harm. Don't hesitate to delete old "access keys" that are unused or rotate your "access keys" if you suspect any compromise. Be sure to check out AWS's official documentation.
Top comments (0)