Carl Maltby Posted July 10, 2023 Posted July 10, 2023 I received an email from AWS with the title, "[ACTION REQUIRED] - Update your S3 object access to maintain connectivity" and to be honest, I'm out of my depth. I'll do a bit of backgrounding for context. We're an old old site cloud hosted with IPS and we've never really needed to grow what we do with our site on a technical level. Everything is simple and the community JustWorks. Our storage size has mounted up a LOT over the last 20yrs so I transitioned our storage to S3 using my very minimal amount of knowledge, and it seems to work. We're also caching all image uploads against remote links to prevent image link rot (thanks Photobucket). Thus far, everything has worked admirably and simply and I am concerned about the relative fragility of our bucket data, which comes to about 47GB as of writing. I am told that I need to set up a Cloudfront distribution which as I understand it is a middleman between the S3 bucket and our site's storage request/serving. Correct me if I'm wrong. I'm a bit stuck on the settings for Cloudfront, even though I seem to have muddled through and gotten it working. This hardly feels like the best recipe for success or defensibility! I don't seem to be able to find any guides or advice outside of self-hosting, and even then clues are thin on the ground. I'm sure that I am not the only person in this position, so any guiding words or handholding would be welcomed....I very much dislike having something working and not having the knowledge onboard to know why it's working, how securely/appropriately, or not knowing if I am building a stronger problem going forward.
Marc Posted July 10, 2023 Posted July 10, 2023 Please could you clarify the question there, as you dont seem to have asked any from what I can see. SeNioR- 1
Carl Maltby Posted July 10, 2023 Author Posted July 10, 2023 This is more of a discussion about setting up Cloudfront for an S3 bucket rathe than a specific question, Marc. If this is not appropriate for this area (questions only?) please move to an appropriate forum. The bottom line is that I am feeling really out of my depth here, so I probably don't even know what the question is yet.
Marc Posted July 10, 2023 Posted July 10, 2023 1 hour ago, Carl Maltby said: This is more of a discussion about setting up Cloudfront for an S3 bucket rathe than a specific question, Marc. If this is not appropriate for this area (questions only?) please move to an appropriate forum. No, its not a problem at all. It was actually more with you titling it that there were questions 😄 Carl Maltby 1
Carl Maltby Posted July 10, 2023 Author Posted July 10, 2023 (edited) It's likely more of an issue of me spending more time the other side of the fence rather than knee deep in admin, Marc. In a way that's testament to the software working without needing to keep a hand on the wheel all of the time. Very true about my phrasing of the title....so let's try going with that a bit better.... Are there any good setup and maintenance threads or external resources on setting up an S3 bucket - eg. for security - and periodic backups on the AWS side of things? I have a nice ⚠️ telling me that it doesn't like the "public" nature of the bucket, however I am so un-versed in all things S3 that I don't know how to secure it without breaking the functionality. I would guess that the bucket is more or less open to the world and not just our site. Would I also be correct in thinking that Cloudfront acts as a service that provides data from the S3 bucket, almost as a layer of protection rather than direct access? Literally, I am that out of touch! I should probably accept a slap on the wrist. Edited July 10, 2023 by Carl Maltby
Jim M Posted July 10, 2023 Posted July 10, 2023 I would advise reviewing our Guide on setting up S3 with CloudFront and then asking any questions you have: The Guide likely has changed since you've last set it up. Carl Maltby 1
Kjell Iver Johansen Posted July 10, 2023 Posted July 10, 2023 (edited) I had the same mail from AWS and got some help from a developer, and it seemed there was another service I use that might use that storage also. In my case it pointed to Open Office - all though I do not use that service or program now. Actually I a little lost regarding why in my case they point to that program, anyway: In my email there is a code at the bottom Connections details will be in the following format: Region | Bucket name(s) | APIAction | TLSVersion | NumCalls | UserAgent Just a suggestion - look for the useragent there.. Edited July 10, 2023 by Kjell Iver Johansen Carl Maltby 1
Carl Maltby Posted July 11, 2023 Author Posted July 11, 2023 This one looks innocent enough: Region | Bucket name(s) | APIAction | TLSVersion | NumCalls | UserAgent eu-west-1 | ******************* | REST.GET.OBJECT | TLSv1 | 1 | [Mozilla/5.0 (Linux; U; Android 4.1.2; th-th; GT-I8262 Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30] I can only presume that files in the S3 bucket are being referenced directly from somebody's mobile browser using TLS v1 rather than via the forums/site. Again, I think that this is an issue with the bucket being public read: { "Version": "2008-10-17", "Statement": [ { "Sid": "AllowPublicRead", "Effect": "Allow", "Principal": { "AWS": "*" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::xxxxxxxxxxxxxx/*" } ] } I'll go through the guide and refresh/build my knowledge, thanks for the link. I didn't find this yesterday.
Carl Maltby Posted July 11, 2023 Author Posted July 11, 2023 (edited) 16 hours ago, Jim M said: I would advise reviewing our Guide on setting up S3 with CloudFront and then asking any questions you have: The Guide likely has changed since you've last set it up. Yes, the process has changed quite significantly. For the most part it is still possible to follow, however after a certain point (after creating a user) the process breaks down somewhat. It looks like the user created needs an access key generating manually, and doing so present a lot of options which I am somewhat loth to just guess at. The stage at which a new user is allowed Programmatic Access no longer has that option. Checking the user details presents us with this option for generating access keys: Edited July 11, 2023 by Carl Maltby
Marc Posted July 11, 2023 Posted July 11, 2023 Thank you for your feedback on that. I will certainly get that guide looked at
Recommended Posts