1

We have a website hosted on AWS S3 that we intend to be accessed only by a limited group of people. Right now, we are white listing the allowed IPs, as described in Restrict access to website hosted on S3.

However, some of the people that must have access to this website don't have static ips, which forces us to constantly update the whitelisted ips on the AWS policy.

I'm pretty sure something like client side certificates should work, but I have no idea how to implement that in terms of AIM policy. Any other (simpler) alternative that does not rely on the IPs being static? I'm guessing adding ssh keys to AWS wouldn't do any good in this case, right?

redwulf
  • 1,317
  • 3
  • 13
  • 35

1 Answers1

2

One alternative approach is to setup user based access control. You can do this by using the following AWS services.

  • AWS Cognito UserPools
  • AWS API Gateway
  • AWS S3

The steps are as follows

  1. Create a AWS Cognito UserPool
  2. Create your users there with authenticated IAM role to allow API Gateway Execute.
  3. Create a public login page in S3 with Cognito Login SDK
  4. Setup API gateway and pass through to S3 AWS Service and also add Cognito UserPool authorizer creating requred IAM roles (Check this example)

After the setup, users should be able to login and access S3 through API Gateway.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • I'm not sure I understand how this would stop someone from accessing a page hosted in S3. Wouldn't the pages still be accessible, unless I change my code to force a redirect if I'm not logged in? I never used the Cognito service, but my understanding is that it would behave like if I implemented an authentication on my own website. Am I missing something? – redwulf Jul 07 '17 at 07:47
  • Yes its similar to implementing an authentication mechanism. The clear difference with your own custom implementation vs using Userpools and IAM authorization is that significant amount is configuration rather coding. – Ashan Jul 07 '17 at 11:04
  • So if I understand correctly, Cognito would block any access to a specific S3 bucket, unless the user gets authenticated first, right? Thanks, I might give it a go, if I can't find another solution. I'd still prefer to avoid any sort of user/password authentication, though... – redwulf Jul 07 '17 at 12:45
  • Cognito Userpools works as the user database, while you can attach S3 access policy through a role. Then, using API gateway for logged in users, it will grant S3 access. – Ashan Jul 07 '17 at 13:20