0

All flash briefing requests are coming from an Alexa device (probably via an Amazon service) so there should be a way to identify and allow these without making an S3 bucket fully public.

This could most likely be achieved using Conditions or Principals but we would have to know the details of the request.

Has anyone achieved this? OR Does anyone have a sample request when a Flash Briefing skill is attempting to retrieve the JSON (or RSS) file?

Here is sample code that allows for the flash briefing but makes the bucket fully public, allowing anyone to use up resources:

{
"Version": "2008-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::numbers:role/my-role-to-update"
        },
        "Action": [
            "s3:PutObject",
            "s3:PutObjectAcl",
            "s3:GetObject",
            "s3:GetObjectAcl"
        ],
        "Resource": "arn:aws:s3:::my-bucket"
    },
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "*"
        },
        "Action": [
            "s3:GetObject",
            "s3:GetObjectAcl"
        ],
        "Resource": "arn:aws:s3:::my-bucket"
    }
 ]
}
Lou Bagel
  • 1,001
  • 8
  • 11

1 Answers1

0

I'm not familiar with specifically providing Flash Briefings, but this sounds like an opportunity to use Amazon S3 pre-signed URLs.

Basically, objects are kept private. Then, when an application wishes to provide temporary access to an Amazon S3 object, it can generated a time-limited pre-signed URL. Your application can then provide this URL that will work fine until the time expires. Thereafter, it will not return the object.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470