Configuring IAM Policies and S3 Bucket Setup for a Secure CDN with CloudFront Integration

When delivering content via a Content Delivery Network (CDN), Amazon S3 buckets are often used to store and serve static files such as images, videos, or other assets. To ensure secure and efficient access to these resources, it is essential to configure AWS Identity and Access Management (IAM) policies appropriately. Additionally, integrating Amazon CloudFront with the bucket can enhance performance and security.

In this article, we will analyse two IAM policies designed to grant specific permissions for managing and accessing an S3 bucket used as a CDN, explain how to set up the bucket, and briefly touch on CloudFront and SSL certificates for custom domains.

Policy 1: Listing All Buckets

The first policy allows users to list all S3 buckets within the AWS account. This is particularly useful for administrative purposes, enabling users to view the available buckets in the AWS Management Console. Below is the policy definition:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowGroupToSeeBucketListInTheConsole",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::*"
            ]
        }
    ]
}

Key elements of this policy include:

• Action: s3:ListAllMyBuckets
  This action grants permission to list all buckets associated with the AWS account.

• Resource: "arn:aws:s3:::*"
  The wildcard (*) indicates that the permission applies to all S3 buckets.

While this policy provides visibility into the account's bucket structure, it does not grant any object-level permissions. Therefore, it serves as a foundational policy for users who need to navigate the S3 environment but do not require direct access to the contents of specific buckets.

Policy 2: Managing a Specific Bucket

The second policy focuses on granting granular permissions for a specific S3 bucket (EXAMPLES3BUCKET) used to deliver CDN files. Since this bucket is public, its configuration must balance security and accessibility. Below is the policy definition:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1416670692010",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::EXAMPLES3BUCKET",
                "arn:aws:s3:::EXAMPLES3BUCKET/*"
            ]
        }
    ]
}

This policy ensures that authorised users can manage the bucket's contents while maintaining public accessibility for CDN delivery. Key elements include:

• Actions:

  • s3:ListBucket: Allows listing the contents of the specified bucket.
  • s3:PutObject: Enables uploading new objects to the bucket.
  • s3:PutObjectAcl: Grants control over the Access Control List (ACL) of uploaded objects, which is crucial for making objects publicly accessible.
  • s3:DeleteObject: Permits the deletion of objects from the bucket.

• Resources:

  • "arn:aws:s3:::EXAMPLES3BUCKET": Targets the bucket itself.
  • "arn:aws:s3:::EXAMPLES3BUCKET/*": Targets all objects within the bucket.

The inclusion of s3:PutObjectAcl is vital for configuring public read permissions on uploaded objects, aligning with the bucket's role as a CDN source.

Bucket Setup

To set up the S3 bucket for use as a CDN, follow these steps:

1. Create the Bucket: Use the AWS Management Console, CLI, or SDK to create a bucket named EXAMPLES3BUCKET. Ensure the bucket name is globally unique.

2. Enable Public Access: Configure the bucket policy to allow public read access. For example:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "PublicReadGetObject",
               "Effect": "Allow",
               "Principal": "*",
               "Action": "s3:GetObject",
               "Resource": "arn:aws:s3:::EXAMPLES3BUCKET/*"
           }
       ]
   }
   

   Note: Be cautious when enabling public access. Use S3 Block Public Access settings to restrict unintended exposure.

3. Set Up CORS: If your CDN serves assets to web applications, configure Cross-Origin Resource Sharing (CORS) to allow requests from specific origins.

CloudFront Integration and SSL Certificates

To enhance performance and security, integrate the S3 bucket with Amazon CloudFront:

1. Create a CloudFront Distribution: Use the AWS Management Console to create a distribution pointing to the S3 bucket as the origin. CloudFront caches content at edge locations, reducing latency for end-users.

2. Custom Domain and SSL Certificate:

   • Use Amazon Route 53 to map a custom domain (e.g., cdn.example.com) to the CloudFront distribution.
   • Request an SSL/TLS certificate using AWS Certificate Manager (ACM) for your custom domain. Attach the certificate to the CloudFront distribution to enable HTTPS.

By combining these steps, you ensure secure, high-performance delivery of your CDN files.

Key Considerations for Admins

1. Public Accessibility: Since the bucket is public, administrators must ensure that sensitive data is not inadvertently stored in this bucket. Implementing additional safeguards, such as S3 Block Public Access settings or bucket policies, can mitigate risks.

2. Least Privilege Principle: While the policies provide necessary permissions, it is advisable to restrict access to only those users who require it. Regularly auditing IAM roles and policies helps maintain a secure environment.

3. Logging and Monitoring: Enable S3 server access logging and integrate with AWS CloudTrail to monitor bucket activity. This practice aids in detecting unauthorised access or unexpected usage patterns.