AWS For Front-End Engineers, v2

Securing the S3 Bucket

Steve Kinney

Steve Kinney

AWS For Front-End Engineers, v2

Check out a free preview of the full AWS For Front-End Engineers, v2 course

The "Securing the S3 Bucket" Lesson is part of the full, AWS For Front-End Engineers, v2 course featured in this preview video. Here's what you'd learn in this lesson:

Steve fixes the default root object issue and locks down the S3 Bucket. Since the bucket is now accessible through CloudFront, public access can be removed and the static website hosting can be disabled.


Transcript from the "Securing the S3 Bucket" Lesson

>> So we've got a policy set. If we go over, I think a lot of us are seeing an access denied, right? One of the things to verify is yeah, but what happens if you do index.html? And it shows up, right? Now, I watched previous versions of this course.

And I do know that sometimes I make mistakes. Because there's one I was watching it was like, Steve talked about checking that checkbox and then didn't, right? Which I understand was added in post editing but as I'm reviewing my own, could have told me. I'm pretty sure we set that default route object in CloudFront and we all have the same issue, so I'm wanting to say that it's not a you issue or me issue.

We're not gonna talk about who's probably to blame here. Let's talk about how to go fix it because in my notes, the next line is, make sure you check this again, just in case. One thing to point out here, is this enabled? This means your CloudFront distribution is good to go.

So remember I was talking a little bit about finding the emotional patients sometimes, which is enabled and nothing works, you probably safe to go fix something. If it's still says deploying and it doesn't work, you're not allowed to start checking more boxes and adjusting stuff until it gets to green.

It might still, that might solve your problem, that might be the right answer. But you're made no promises until that's green again. All right, so we'll go in here. And let's figure out, yeah, default route object. I might have made the Boo Boo this time. Let's see what happens if we get rid of, yeah, file name, index.html.

There are some places where it demands the slash, some places where it refuses the slash. I would love to tell you that I've memorized all of them, I haven't. So this is to show you, if we go back to distributions real quick, you can see that is deploying.

This sometimes will also, if you've made a major change, be going gray as well. Let's go ahead, sometimes it will still work at all, it just means it hasn't distributed everywhere just yet. So let's go ahead and, Go to the route. So that solves the problem. If you had a slash beforehand, I'll take the blame on that one.

But there's a reason I had a note in here too. So I'm not taking all the blame, I'll just take this time. But we do have another error which is intentional, which we have that client side routing issue again. The chat was like, is it okay? I'm like, it's okay.

If you think about it, this one makes sense. This one, makes sense is a strong word. This one checks out at least a little bit which is our static website hosting was doing the work for us and we now say CloudFront, you're in charge of this. So we're not using the static website hosting.

We should go turn that off and turn off the public access to get that bucket completely locked down. And this is the subtle difference between you paste it in that URL and you selected the S3 bucket. When you paste it in the URL, it was just sending everything along to that web address just like when we visited it ourselves.

The S3 bucket is actually just directly accessing that bucket. So it's not using any of those static website hosting features anymore. So we're going to finish up our OAI extravaganza of happiness. We're gonna go turn off the static website hosting, lock down that bucket and be done with this.

All right. At this point I have decided that I was just gonna open up a tab for each of the different views, rather than jumping back and forth for my own sanity. So we'll go in here, we will edit this again, we'll block all public access, because yes, now the general public does not have a public access, but CloudFront does.

CloudFront is publicly accessible. We've just moved the problem [LAUGH] down the road a little bit. So hit save changes. And this is like, it's one of those things where you know that there's a chance that you might take down production if the UI makes you type in the word confirm before you do it.

[LAUGH] All right? So do that, but since we already slammed into an access denied and effectively shut down production for a moment, [LAUGH] we could be somewhat confident in this case. So we go back to properties, And we'll turn off that static website hosting. That's still not gonna work because we have not reimplemented the routing.

But our website is still up, right? Awesome.

Learn Straight from the Experts Who Shape the Modern Web

  • In-depth Courses
  • Industry Leading Experts
  • Learning Paths
  • Live Interactive Workshops
Get Unlimited Access Now