Dev.to

Secure Your S3 Bucket for Image Hosting: A Step-by-Step Guide

In today’s cloud-driven world, safeguarding your data while delivering content fast is essential. This guide will walk you through the process of creating a secure S3 bucket for storing and serving images. You'll learn how to configure bucket policies, CORS settings, and additional security features—all designed to keep your assets protected and accessible only to trusted sources. 1. Create the S3 Bucket Log in to the AWS Management Console: Navigate to the S3 service. Create a New Bucket: Click Create bucket. Enter a unique bucket name (e.g., best-practices-s3) and choose your AWS Region. In the Block Public Access settings, enable Block all public access to prevent accidental exposure. Important Note: If you plan to add a bucket policy that grants limited public access using conditions like the aws:Referer, you must disable the setting that blocks public bucket policies. Otherwise, you will encounter an error such as: "User is not authorized to perform: s3:PutBucketPolicy ... because public policies are blocked by the BlockPublicPolicy block public access setting." To use your custom bucket policy, disable Block public bucket policies while keeping the other block settings enabled. (Be sure to manage your policy carefully to avoid unintentional exposure.) Finalize Creation: Complete the steps and click Create bucket. 2. Configure Object Ownership Go to your bucket’s Permissions tab. Under Object Ownership, choose Bucket owner enforced. This setting disables Access Control Lists (ACLs) so that only your bucket policy manages access. 3. Set Up a Bucket Policy Bucket policies control who can access your bucket’s objects. In this guide, image access is restricted to trusted domains. Open the Bucket Policy Editor: In the Permissions tab, click Bucket Policy. Paste the Following Policy: Replace best-practices-s3 with your bucket name if needed. { "Version": "2012-10-17", "Id": "PolicyForTrustedAccess", "Statement": [ { "Sid": "AllowTrustedAccess", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::best-practices-s3/*", "Condition": { "StringLike": { "aws:Referer": [ "https://*.example.com/*" ] }, "Bool": { "aws:SecureTransport": "true" } } }, { "Sid": "DenyNonTrustedAccess", "Effect": "Deny", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::best-practices-s3/*", "Condition": { "StringNotLike": { "aws:Referer": [ "https://*.example.com/*" ] } } } ] } Save the Policy. 4. Configure CORS (Cross-Origin Resource Sharing) CORS settings allow your images to be requested by web pages from specific domains. They also enable uploads via signed URLs if needed. Open the CORS Configuration Editor: In the Permissions tab, click CORS configuration. Enter the Following Configuration for GET requests: [ { "AllowedHeaders": ["*"], "AllowedMethods": ["GET"], "AllowedOrigins": [ "https://*.example.com" ], "ExposeHeaders": [] } ] ###

Feb 24, 2025 - 20:42
 0
Secure Your S3 Bucket for Image Hosting: A Step-by-Step Guide

In today’s cloud-driven world, safeguarding your data while delivering content fast is essential. This guide will walk you through the process of creating a secure S3 bucket for storing and serving images. You'll learn how to configure bucket policies, CORS settings, and additional security features—all designed to keep your assets protected and accessible only to trusted sources.

1. Create the S3 Bucket

Log in to the AWS Management Console:

Navigate to the S3 service.

Create a New Bucket:

  • Click Create bucket.
  • Enter a unique bucket name (e.g., best-practices-s3) and choose your AWS Region.
  • In the Block Public Access settings, enable Block all public access to prevent accidental exposure.

Important Note:

If you plan to add a bucket policy that grants limited public access using conditions like the aws:Referer, you must disable the setting that blocks public bucket policies. Otherwise, you will encounter an error such as:

"User is not authorized to perform: s3:PutBucketPolicy ... because public policies are blocked by the BlockPublicPolicy block public access setting."

To use your custom bucket policy, disable Block public bucket policies while keeping the other block settings enabled. (Be sure to manage your policy carefully to avoid unintentional exposure.)

Disable block public bucket policies

Finalize Creation:

Complete the steps and click Create bucket.

2. Configure Object Ownership

  • Go to your bucket’s Permissions tab.
  • Under Object Ownership, choose Bucket owner enforced. This setting disables Access Control Lists (ACLs) so that only your bucket policy manages access.

Set Object Ownership

3. Set Up a Bucket Policy

Bucket policies control who can access your bucket’s objects. In this guide, image access is restricted to trusted domains.

  1. Open the Bucket Policy Editor:

    In the Permissions tab, click Bucket Policy.

  2. Paste the Following Policy:

    Replace best-practices-s3 with your bucket name if needed.

   {
       "Version": "2012-10-17",
       "Id": "PolicyForTrustedAccess",
       "Statement": [
           {
               "Sid": "AllowTrustedAccess",
               "Effect": "Allow",
               "Principal": "*",
               "Action": "s3:GetObject",
               "Resource": "arn:aws:s3:::best-practices-s3/*",
               "Condition": {
                   "StringLike": {
                       "aws:Referer": [
                           "https://*.example.com/*"
                       ]
                   },
                   "Bool": {
                       "aws:SecureTransport": "true"
                   }
               }
           },
           {
               "Sid": "DenyNonTrustedAccess",
               "Effect": "Deny",
               "Principal": "*",
               "Action": "s3:GetObject",
               "Resource": "arn:aws:s3:::best-practices-s3/*",
               "Condition": {
                   "StringNotLike": {
                       "aws:Referer": [
                           "https://*.example.com/*"
                       ]
                   }
               }
           }
       ]
   }

Set Up a Bucket Policy

  1. Save the Policy.

4. Configure CORS (Cross-Origin Resource Sharing)

CORS settings allow your images to be requested by web pages from specific domains. They also enable uploads via signed URLs if needed.

  1. Open the CORS Configuration Editor:

    In the Permissions tab, click CORS configuration.

  2. Enter the Following Configuration for GET requests:

   [
       {
           "AllowedHeaders": ["*"],
           "AllowedMethods": ["GET"],
           "AllowedOrigins": [
               "https://*.example.com"
           ],
           "ExposeHeaders": []
       }
   ]

###

Read More

Tags:

Previous Article

Larry Ellison’s $500 Million Vertical Farming Startup Is Struggling to Grow

Next Article

AI for Job Interviews: The Future of Interview Success

Related Posts

Building a Multi-Switch VLAN Network: A Successful Implementation

Building a Multi-Switch VLAN Network: A Successful Impl...

Mar 23, 2025  0

Angular GDEs and Microsoft MVP

Angular GDEs and Microsoft MVP

Mar 30, 2025  0

Apr 4, 2025  0