Here we are to educate ourselves as to what “IAM user, who can write to the S3 bucket” is, by using cloudfront distribution and S3 objects, which are of world readable.
1.Create a bucket in s3 my-bucket
1. Log in to the AWS Management Console
4. Create a custom/aws bucket policy to make it world readable
{
“Version”: “2008-10-17”,
“Statement”: [
{
“Sid”: “PublicReadForGetBucketObjects”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Resource”: “arn:aws:s3:::my-bucket/*”
}
]
}
http://docs.aws.amazon.com/AmazonS3/latest/gsg/CreatingABucket.html
2.Create and grant policy for IAM user for accessing s3 bucket
1. Login to the AWS Management Console
Click the IAM tab.
2. Create an account alias for the IAM url
Add an account alias in the AWS Account Alias section of the IAM console. Then, your login URL will be alias.signin.aws.amazon.com.
3. Create a new group or a new user
With IAM you can create a group that has certain permissions, and then assign users to that group. Or, you can just create users
4. Set a password for the new user
Click the new user you’ve created and then click the Security Credentials tab. On that page, you can click Manage Password to add a password for your user. Without a password, the user won’t be able to login to the AWS console.
Keep note aws access key and secret key for the iam user.
5. Add permissions for your user
Permissions are added either on the group the user is in, or if you decided not to create a group, the user account itself.
Click the user or group, then click the Permissions tab. Here you can see which permissions policies are currently attached to the group or user. Click the Attach Policy button. You’ll get a pop-up where you can Manage User Permissions. Here you can select a pre rolled policy, use the Policy Generator, or just paste in a custom policy.
To manage the bucket, you need to grant the s3:* action for the bucket you designate. AWS policies designate resources by their Amazon Resource Name, or ARN and for S3 buckets, they look like: arn:aws:s3:::bucket
Sample policy- for giving permission for iam user for specific bucket
{
“Statement”: [
{
“Action”: [
“s3:ListAllMyBuckets”
],
“Effect”: “Allow”,
“Resource”: “arn:aws:s3:::*”
},
{
“Action”: “s3:*”,
“Effect”: “Allow”,
“Resource”: [“arn:aws:s3:::my-bucket”, “arn:aws:s3:::my-bucket/*”]
}
]
}
The policy states that the user can list all buckets (necessary to use the AWS Console) and they have full permission to their own bucket.
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SettingUpUser.html
3.cloudfront distribution
AWS CloudFront is a content distribution service offered by AWS to speed up the distribution of static or dynamic content, such as media files, html, js css, etc as well php. CloudFront serves its content through edge locations. CloudFront can serve the content from AWS S3, the user’s own origin server or AWS services, such as EC2, and ELB. In CloudFront, the content is organized into distribution, which specifies the origin or location of the object (AWS S3 bucket or own origin).
1. Create a bucket in AWS S3. Make the bucket publically accessible with the access policy.
2. Upload files to be distributed using CloudFront to the bucket, and make it public.
3. Go to the AWS console through http://aws.amazon.com/console. Click on “CloudFront”.
4. In the CloudFront console, click on “Create Distribution”.
5. In the Create Distribution wizard, select the download distribution. CloudFront also supports the streaming of media files. The present guide explains how to distribute an image file using CloudFront. Click on “Continue”.
6. Provide the origin ID as the bucket name created in step #1. At present accept the default values for “Restrict Bucket Access”.
7. Select the default values of cache behaviors in the same page. In cache behaviors, configure values for:
a. Path pattern is used to apply the cache behavior to specific objects. If default (*) is selected it will forward all requests to the bucket selected in step #6.
b. Viewer Protocol Policy allows the end user to access objects through HTTP and HTTPS.
c. Allow everyone to view the content through “Restrict User Access”.
d. Object Caching allows caching of objects up to 24 hours for the default value. To specify the time, use the customize option.
e. Forward Cookie is for AWS EC2 and the customized origin. It allows customizing whether the user wants to forward cookies to the origin server.
f. The Forward Query string is used to receive different versions of the object based on a query string in the URL.
8. Provide values for the distribution setting as given below:
a. Price Class: Allows the user to select the maximum price to pay for the CloudFront service.
b. CNAMEs allows the user to use URLs for objects instead of the domain name that CloudFront assigns. Thus, instead of the CloudFront distribution http://d111111abcdef8.cloudfront.net/ , the user can specify a custom URL.
c. Default Root Object serves the default root object when the user requests the root URL of the distribution (i.e. user sends request as http://mynvm.com instead of http://mynvm.com/index.html).
d. Cookie Logging is used to allow origins other than AWS S3.
e. Comment is used to describe the distribution.
f. Distribution State, when enabled, allows CloudFront to process requests as soon as the distribution is created.
Click on the “Create Distribution” button after providing values, as explained in steps # 6, 7 and 8.
9. CloudFront will now create the distribution. It takes about 5-10 minutes to create a distribution. Initially, when the distribution is being created, the status will be “In Progress”.
10. Once the distribution has been created, the status will change to “Enable”. The distribution has now been created. Get the domain name of the distribution. The domain name for the download distribution will start with ‘d’ and be in the following format: “d111111abcdef8.cloudfront.net”.
11. To test the CloudFront distribution, first create a HTML file which uses the distribution and requests the image uploaded to the origin bucket, as explained in step #2.
12. When the HTML is requested, it will show the image. The object uploaded in step #2 will be served from the CloudFront edge location and not directly from the S3 origin. The image delivered through CloudFront is marked in the figure given below.
4.Add a bucket policy to make it world readable for the s3 bucket
{
“Version”: “2008-10-17”,
“Statement”: [
{
“Sid”: “PublicReadForGetBucketObjects”,
“Effect”: “Allow”,
“Principal”: {
“AWS”: “*”
},
“Resource”: “arn:aws:s3:::my-bucket/*”
}
]
}
5.Add aws cname record
1.Need to specify the CNAME (static.mydomain.com) in CloudFront distribution
2.Also need to create a CNAME record in the DNS system to establish the alias between your domain name and the CloudFront domain name for your distribution.