AWS vs. Azure - Object Storage - Valet Key Pattern Part 3
In the last post, we discussed the concepts behind the valet key pattern. In this post, I will walk through how to perform this operation on AWS.
In AWS, in general, all bucket access is controlled by IAM. AWS also has the concept of signed urls, which allow someone to share a URL (very similar to SAS tokens in Azure). We will look at both techniques in this post.
Temporary Access via Temporary Security Credentials
Temporary tokens can be issued from the AWS Security Token Service and function much the same way as the access keys to any IAM role. The difference is that they can be used for temporary access.
In Powershell, you can use the Use-STSRole command to generate a temporary token.
Here is an example:
$credential = Use-STSRole -RoleArn <<arn>> -DurationInSeconds 900 -region ca-central-1 -roleSessionName <<name>>
Basically, your web application principal will need to have permissions to assume an appropriate role. You will likely want to create a specific role with permissions (eg: read, update, delete) to target buckets. The above command can then be run to assume that role for a duration of 900 seconds.
The last parameter above, roleSessionName, allows you to alias a particular session and keep track of the credentials you have given out.
A couple of notes:
- The minimum amount of time you issue a temporary STS token is 900 seconds
- You can further restrict access by issuing session policies that are only valid for the granted credentials. For more information, please see https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Temporary Access via Pre-signed URLs
Pre-signed URLs can be created via the API. For powershell, the cmdlet you are looking for is Get-S3PreSignedURL. When you create a per-signed URL, there a multitude of options you can set on the key itself. A couple of interesting ones:
Expire - The expiry time for the token
Protocol - The protocol allowed to be used
Verb - The HTTP verbs that the key will authorize for
Here is an example of what the key looks like.
https://shamctest.s3.ca-central-1.amazonaws.com/index.html?X-Amz-Expires=3600&x-amz-security-token=FQoGZXIvYXdzEPv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDMEEzxRQdn8DfkOFvCKvARUPLkqKEJQ%2FeaZwD5Q3KUfgCi6D6hzdchqDB5qJGuMLqs9pgdEDwXYkxtbBGcJhiSAln3e6XlwyUXiqrSeZLYF%2B2MI3I4eXgkgeUCRuePbduQpDhjM5Suwfee9xRyIuuvl%2BrxWCyvwie0J5YHIPsSnoGEuu9rzUrExOpNRhOhbNZcgOkge2JETCr8MlSUJs99JUCYK1Mf2iEydojk7k%2Bu3WFL%2BCdWjZG1DAxpies6govNCr4wU%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA32Z7R3JE6JXKST3X/20190218/ca-central-1/s3/aws4_request&X-Amz-Date=20190218T172823Z&X-Amz-SignedHeaders=host;x-amz-security-token&X-Amz-Signature=b0df41b643c9b6626dd95a89ae233dd4cbb170b14c45597b7c284cce20dd9873
The above key makes use of the AWS Signature Version 4. You can find out more information on the various settings by going to https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
I think of the two methods described above, the Pre-signed URLs are most likely the best choice to satisfy the valet key pattern.
About Shamir Charania
Shamir Charania, a seasoned cloud expert, possesses in-depth expertise in Amazon Web Services (AWS) and Microsoft Azure, complemented by his six-year tenure as a Microsoft MVP in Azure. At Keep Secure, Shamir provides strategic cloud guidance, with senior architecture-level decision-making to having the technical chops to back it all up. With a strong emphasis on cybersecurity, he develops robust global cloud strategies prioritizing data protection and resilience. Leveraging complexity theory, Shamir delivers innovative and elegant solutions to address complex requirements while driving business growth, positioning himself as a driving force in cloud transformation for organizations in the digital age.