When uploading files to a S3 bucket for backup purposes, it's important to make all uploaded objects private, that is, make all objects accessible only by the owner and not by the public. This is already done by default in S3Express, unless otherwise specified. However, to avoid mistakes, this requirement can also be explicitly enforced by using a bucket policy similar to the following one:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PrivateAclPolicy", "Effect": "Deny", "Principal": { "AWS": "*"}, "Action": [ "s3:PutObject", "s3:PutObjectAcl" ], "Resource": [ "arn:aws:s3:::bucket_name/*" ], "Condition": { "StringNotEquals": { "s3:x-amz-acl": [ "private" ] } } } ] }
Replace bucket_name with the name of your bucket.
This policy will only allow objects to be uploaded to the bucket if the ACL is explicitly set to "private", otherwise access will be denied. Also this policy makes sure that the ACL cannot be changed from private.
The following is an example of uploads explicitly made private in S3Express:
put c:\folder\ bucket_name -s -cacl:private
-cacl:private explicitly makes all uploaded objects private. This is the default (if -cacl is not specified), but the bucket policy above now requires it to be explicitly specified or access will be denied.
To set a bucket policy you can use the Amazon S3 Console.
To verify and to make sure that all the already existing objects in a bucket are correctly set to private, see: www.s3express.com/kb/item24.htm
|