Security

Click to play video

Cloud security is a giant can of worms. This isn't a security course, but I do want to give you a few pointers to keep you safe with a simple setup while using S3. A few things to think about:

Who can access your bucket, and which parts of your bucket can they access?
What actions can they take?
How are they authenticated? And from where can they authenticate?

At the moment, in your Tubely app:

Your bucket is publicly accessible. Anyone can get any individual object in your bucket.
Anyone can get the objects in your bucket, but only Tubely (and you) can change them or list them.
Public readers aren't authenticated, but your code is authenticated with your AWS IAM access key.

Keys Aren't Enough

While it's great that an attacker would need to steal your AWS credentials to be able to maliciously change the contents of your bucket, relying only on the secrecy of keys is often not enough.

Keys and passwords are compromised all the time.

One way to add an additional layer of security is to ensure that your keys can only be used from certain (virtual) locations. Then an attacker would need your keys and to be on your network to gain access.

Assignment

Open the AWS IAM dashboard by clicking the link, or by searching "IAM" in the AWS console search bar.
Go to the policies tab, and create a new policy.
Set permissions to:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "0.0.0.0/32"
        }
      }
    }
  ]
}

Call the policy manager-from-home
Remove the admin policy from the managers group and add the manager-from-home policy. Because we set your user to be in the managers group, you should now have the new policy.
Try to use the CLI to upload a file.

aws s3 cp <local_file_path> s3://<bucket_name>

You should get denied because your IP address is not allowed (your address isn't 0.0.0.0)

Update the policy and replace 0.0.0.0 with your current IP address. (Keep the /32 at the end, it tells AWS that you want an exact match on the IP address)
Try to upload a file again. Now it should work!

Run and submit the CLI tests.

Your IP address can change, e.g. from switching networks or dynamic IP addresses. Whenever that happens, you'll need to update the policy.