Build Secure File Transfer Solution Using AWS S3 (2)

Build Secure File Transfer Solution Using AWS S3 (2)

Introduction In the previous article Build Secure File Transfer Solution Using AWS S3 (1), I introduced the solution design, security considerations

Build Secure File Transfer Solution Using AWS S3 (1)
Deploy Scalable and Reliable WordPress Site on LEMP(2)
AWS Exam Preparation: Product Mindmap

Introduction

In the previous article Build Secure File Transfer Solution Using AWS S3 (1), I introduced the solution design, security considerations and hardening in particular, when using AWS S3 for secure file transfer. S3 bucket policy and IAM user policy are jointly used to enforce access control.

This article will demonstrates the configuration activities required to deploy the secure file transfer solution using AWS S3 service.

Configuration Steps

Overview

I developed a process map to provide an overview of the configuration activities. Boxes bordered in red require JSON scripts, which are attached in this article.

S3_creation_processpng.png

1.1 Create S3 Bucket

Create two S3 buckets, one for file and one for log records. I selected ‘Sydney’ as my bucket region so that the documents will stay in Australia onshore.

Please note S3 naming requirements:

  • Start with lowercase or number
  • Only contain lowercase, numbers, periods and dashes
  • Globally unique

1.2 Configure Bucket Properties

Select the target bucket and configure Properties as required. I enabled logging and sent logs to the log bucket. In addition, versioning is enabled to track and revert to previous file change. It not only enforces security but also allows file recovery.

S3_bucket_property.png

1.3 Create Bucket Policy

Bucket policy is created from’Properties > Permissions > Edit bucket policy’.

The following  JSON script enforces:

  • Upload using server side encryption AES256.
  • Download only allowed from whitelisted IP ‘8.8.8.8’.
altairxfile Bucket Policy
{
    "Version": "2012-10-17",
    "Id": "PutObjPolicy",
    "Statement": [
        {
            "Sid": "DenyIncorrectEncryptionHeader",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::altairxfile/*",
            "Condition": {
                "StringNotEquals": {
                    "s3:x-amz-server-side-encryption": "AES256"
                }
            }
        },
        {
            "Sid": "DenyUnEncryptedObjectUploads",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::altairxfile/*",
            "Condition": {
                "Null": {
                    "s3:x-amz-server-side-encryption": "true"
                }
            }
        },
        {
            "Sid": "IPDeny",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::altairxfile/*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": "8.8.8.8/32"
                }
            }
        }
    ]
}

2.1 Create User Policy

We then create S3 user policies using JSON, from ‘IAM > Policies’.Please note IAM doesn’t have regional setting and always ‘Global’.

In the following example, we create three policies, which will be applied to three user groups ‘S3_HR’, S3_Log’ and ‘S3_USER’ respectively. Custom-built polices can be filtered though ‘Customer Managed’.

S3_IAM_policy.png

‘S3_HR’ policy enforces the following rules:

  • S3_HR can manage all files and subfolders under ‘altairxfile/user/’.
  • S3_HR cannot access any other bucket or folders.
S3_HR Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": [
                "arn:aws:s3:::altairxfile"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": [
                "arn:aws:s3:::altairxfile/user"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::altairxfile/user/*"
            ]
        }
    ]
}

‘S3_USER’ policy enforces the following rules:

  • S3_USER will have a home folder under ‘altairxfile/user’, with their username as home folder name.
  • S3_USER can only upload and delete files from their home folder.
  • S3_USER cannot access any other bucket or folders.
S3_USER Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets",
                "s3:GetBucketLocation"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "AllowRootAndHomeListingOfCompanyBucket",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::altairxfile"
            ],
            "Condition": {
                "StringEquals": {
                    "s3:prefix": [
                        "",
                        "user/"
                    ],
                    "s3:delimiter": [
                        "/"
                    ]
                }
            }
        },
        {
            "Sid": "AllowListingOfUserFolder",
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::altairxfile"
            ],
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "user/${aws:username}/*"
                    ]
                }
            }
        },
        {
            "Sid": "AllowAllS3ActionsInUserFolder",
            "Action": [
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::altairxfile/user/${aws:username}/*"
            ]
        }
    ]
}

2.2 Create Group

Create user group under ‘IAM > Groups’ and attach respective policy.

S3_IAM_group.png

2.3 Manage Password Policy

Password policy can be managed under ‘IAM > Account settings’, as below:

S3_IAM_pwdpolicy.png

If users are supposed to change password upon first logon, you need to enable ‘Allow users to change their own password’.

2.4 Create User

Users are created under ‘IAM > Users’. User are assigned to groups (created in 2.2); therefore, inherit respective group policies (created in 2.1).

S3_IAM_user.png

2.5 Notify User

Upon completing user creation, we can directly send an email to the user.

S3_IAM_email.png

 

The AWS auto-generated email content includes logon details, as below:

S3_email.png

2.6 Configure MFA (Optional)

Multifactor authentication can be enabled from ‘IAM > Users > [select user] > Security credentials > Assigned MFA device’, as below:

S3_IAM_MFA.png

If users shall use soft token for dual factor authentication, they can install Google Authenticator on their mobile phone and follow AWS virtual MFA instruction to finish configuration.

To Be Continued

In the next article, I will demonstrate how user uploads files to their home folder in AWS S3 bucket and a few tests on security policies.

 

COMMENTS

WORDPRESS: 0
DISQUS: 0