1
00:00:00,730 --> 00:00:03,808
Okay, so let's have a play with

2
00:00:03,808 --> 00:00:06,230
S3 bucket policies.

3
00:00:06,230 --> 00:00:08,800
To do so let's go into permissions

4
00:00:08,800 --> 00:00:12,020
and the goal for us is to define a bucket policy

5
00:00:12,020 --> 00:00:13,570
that we'll write in JSON.

6
00:00:13,570 --> 00:00:16,570
And this bucket policy is going to prevent

7
00:00:16,570 --> 00:00:19,900
putting objects that are not encrypted.

8
00:00:19,900 --> 00:00:24,390
So let's edit this bucket policy and we have two links.

9
00:00:24,390 --> 00:00:25,480
We have the policy example

10
00:00:25,480 --> 00:00:27,900
which actually goes to the documentation of AWS.

11
00:00:27,900 --> 00:00:29,840
If you want to have a read into

12
00:00:29,840 --> 00:00:31,090
all the kinds of possibilities

13
00:00:31,090 --> 00:00:34,400
you can create a bucket policy

14
00:00:34,400 --> 00:00:36,750
or if you just want to follow along with me

15
00:00:36,750 --> 00:00:40,980
then let's go into the AWS policy generator for S3 buckets.

16
00:00:40,980 --> 00:00:43,330
Okay, so lets generate our bucket policy.

17
00:00:43,330 --> 00:00:45,490
So first we need to select the policy type

18
00:00:45,490 --> 00:00:48,800
and the type of policy we want is an S3 bucket policy.

19
00:00:48,800 --> 00:00:50,880
So please make sure to select the S3 bucket policy.

20
00:00:50,880 --> 00:00:52,260
This is very important otherwise

21
00:00:52,260 --> 00:00:54,940
you will not see the same options as me.

22
00:00:54,940 --> 00:00:57,400
Okay, so we have an S3 bucket policy here

23
00:00:57,400 --> 00:00:59,660
and now we want to add a statement.

24
00:00:59,660 --> 00:01:02,420
So what we want to do here

25
00:01:02,420 --> 00:01:05,910
is to deny any objects being uploaded into Amazon as free.

26
00:01:05,910 --> 00:01:07,350
That is not encrypted

27
00:01:07,350 --> 00:01:11,520
using for example, the SSE S3 scheme.

28
00:01:11,520 --> 00:01:13,500
So we're going to have the effect to be

29
00:01:13,500 --> 00:01:16,320
deny principles of where from,

30
00:01:16,320 --> 00:01:18,880
from everywhere, okay?

31
00:01:18,880 --> 00:01:20,440
The action is on the uploader

32
00:01:20,440 --> 00:01:23,750
so the API name it to upload a file into AWS

33
00:01:23,750 --> 00:01:26,164
is called put objects.

34
00:01:26,164 --> 00:01:28,640
So we're looking for put objects here

35
00:01:28,640 --> 00:01:31,290
and then we need to specify the ARN.

36
00:01:31,290 --> 00:01:35,200
So the ARN should be the bucket name slash the key name.

37
00:01:35,200 --> 00:01:37,730
So let's go into the S3 management console

38
00:01:37,730 --> 00:01:40,070
and here they provide us with the buckets ARN

39
00:01:40,070 --> 00:01:42,770
because they know that we're going to use it.

40
00:01:42,770 --> 00:01:46,650
So let's paste it, and so as I have pasted my buckets ARN,

41
00:01:46,650 --> 00:01:51,230
please make sure to add a star and then sorry, a slash

42
00:01:51,230 --> 00:01:54,240
and then a star at the end of the resource name.

43
00:01:54,240 --> 00:01:55,270
Why?

44
00:01:55,270 --> 00:01:57,490
Well, the action that we have selected

45
00:01:57,490 --> 00:02:00,380
which is called puts objects,

46
00:02:00,380 --> 00:02:01,320
as we can see right here

47
00:02:01,320 --> 00:02:05,550
put objects applies to object within the bucket.

48
00:02:05,550 --> 00:02:07,130
And so to specify to either way

49
00:02:07,130 --> 00:02:08,729
we want to apply this to object.

50
00:02:08,729 --> 00:02:13,070
We need to specify the bucket name, then slash, star

51
00:02:13,070 --> 00:02:17,460
and the star indicates any objects within that bucket name.

52
00:02:17,460 --> 00:02:19,970
So we're saying, okay, deny anyone

53
00:02:19,970 --> 00:02:23,120
to upload an object anywhere in my bucket

54
00:02:23,120 --> 00:02:24,460
and we need to add a condition

55
00:02:24,460 --> 00:02:25,620
otherwise we will not be able

56
00:02:25,620 --> 00:02:27,360
to do many things with this bucket.

57
00:02:27,360 --> 00:02:32,360
So we'll add a condition and the statement is no, so no.

58
00:02:34,000 --> 00:02:37,860
The key is going to be looking for the S3

59
00:02:37,860 --> 00:02:42,860
so let's level look, S3 XAMZ server-side encryption.

60
00:02:43,070 --> 00:02:46,240
So this one, okay, which is going to look

61
00:02:46,240 --> 00:02:50,110
for whether or not we have this header when we send a file

62
00:02:50,110 --> 00:02:52,820
to Amazon is free and the value is true.

63
00:02:52,820 --> 00:02:54,450
So let me explain what I did.

64
00:02:54,450 --> 00:02:57,860
We're saying if this header is no.

65
00:02:57,860 --> 00:02:58,840
So that's the conditions.

66
00:02:58,840 --> 00:03:02,330
If this header is no, then deny and that make sense.

67
00:03:02,330 --> 00:03:04,690
If this header is no, we are sending the file

68
00:03:04,690 --> 00:03:07,080
and we don't ask for any kind of encryption.

69
00:03:07,080 --> 00:03:09,780
So we'll add this condition and this is our first statement,

70
00:03:09,780 --> 00:03:12,580
so let's click on add statements

71
00:03:12,580 --> 00:03:15,210
and we'll add a second statement to repeat it.

72
00:03:15,210 --> 00:03:18,495
So we'll deny from anywhere

73
00:03:18,495 --> 00:03:22,250
and then the action is going to be again, the put objects.

74
00:03:22,250 --> 00:03:23,450
So let's find it quickly

75
00:03:25,180 --> 00:03:26,580
put objects.

76
00:03:26,580 --> 00:03:30,750
The resource name has to be the bucket name slash star.

77
00:03:30,750 --> 00:03:33,495
And for the condition, this time we're going to look

78
00:03:33,495 --> 00:03:38,495
at a second condition and we're saying string not equal.

79
00:03:40,060 --> 00:03:41,660
The key is the same key as before

80
00:03:41,660 --> 00:03:44,665
so the XAMZ service that encryption

81
00:03:44,665 --> 00:03:49,665
and then the value of it is going to be AES 256.

82
00:03:49,880 --> 00:03:53,000
So we're saying if the file is uploaded

83
00:03:53,000 --> 00:03:54,400
but with the header,

84
00:03:54,400 --> 00:03:57,350
but the header value is not equal to AES 256,

85
00:03:57,350 --> 00:04:01,130
which is representing the SSE S3 type of encryption,

86
00:04:01,130 --> 00:04:02,420
then deny it.

87
00:04:02,420 --> 00:04:04,860
So we'll add the condition at the statement

88
00:04:04,860 --> 00:04:07,850
and here we go, we have generated our policy right here

89
00:04:07,850 --> 00:04:12,850
which I can copy and paste into my S3 console,

90
00:04:13,670 --> 00:04:16,050
save changes and we're good to go.

91
00:04:16,050 --> 00:04:18,920
So here we have defined a bucket policy

92
00:04:18,920 --> 00:04:21,660
which denies any object being encrypted.

93
00:04:21,660 --> 00:04:24,650
If it's not encrypted with SSE S3.

94
00:04:24,650 --> 00:04:27,210
So we can, for example, have a look,

95
00:04:27,210 --> 00:04:31,600
so let's upload an object and see if that works.

96
00:04:31,600 --> 00:04:33,380
So we'll add a file,

97
00:04:33,380 --> 00:04:38,380
we'll add coffee.jpg and as we can see

98
00:04:38,430 --> 00:04:41,580
I don't specify any encryption setting in particular, okay?

99
00:04:41,580 --> 00:04:43,510
So it's going to go with none

100
00:04:43,510 --> 00:04:44,603
and click on upload,

101
00:04:46,200 --> 00:04:49,940
it failed and we can look at why it failed.

102
00:04:49,940 --> 00:04:51,850
So it failed, access denied.

103
00:04:51,850 --> 00:04:54,340
And so this is due to the bucket policy.

104
00:04:54,340 --> 00:04:56,100
So this is obviously good

105
00:04:56,100 --> 00:04:58,380
because this is what we expected to happen.

106
00:04:58,380 --> 00:05:00,230
And if we try to upload

107
00:05:01,230 --> 00:05:04,573
the same file so coffee.jpg,

108
00:05:05,920 --> 00:05:07,880
but this time we are going to

109
00:05:07,880 --> 00:05:10,940
specify the encryption to be SSE S3

110
00:05:10,940 --> 00:05:14,460
so by setting the right header, then this should work.

111
00:05:14,460 --> 00:05:18,710
So let's upload it and see, yes, this has succeeded.

112
00:05:18,710 --> 00:05:22,610
And finally, let's start to upload this file one last time

113
00:05:22,610 --> 00:05:26,063
but by specifying a KMS type of encryption.

114
00:05:27,460 --> 00:05:30,540
So let's go to overwrite KMS

115
00:05:30,540 --> 00:05:32,290
using the SSE S3 KMS key

116
00:05:34,610 --> 00:05:35,833
and click on the upload.

117
00:05:36,860 --> 00:05:38,500
And this has failed again because it doesn't

118
00:05:38,500 --> 00:05:40,130
respect the bucket policy.

119
00:05:40,130 --> 00:05:43,721
So the bucket policy is working just fine.

120
00:05:43,721 --> 00:05:46,280
And so how did I figure this out?

121
00:05:46,280 --> 00:05:50,700
So if I Google S3 buckets policy deny encryption,

122
00:05:50,700 --> 00:05:54,680
this shows you the kind of blogs that shows you

123
00:05:54,680 --> 00:05:57,350
how to write these kind of let me show you

124
00:05:57,350 --> 00:05:59,950
I have buckets policy so this is not something invented.

125
00:05:59,950 --> 00:06:02,631
I use the documentation to refer for my courses

126
00:06:02,631 --> 00:06:05,768
but I wanted to show you how to generate this policy

127
00:06:05,768 --> 00:06:08,920
using the ADA policy generator, okay?

128
00:06:08,920 --> 00:06:10,480
Hopefully this makes sense.

129
00:06:10,480 --> 00:06:11,550
Now, other settings that

130
00:06:11,550 --> 00:06:13,860
we may want to look at for security,

131
00:06:13,860 --> 00:06:16,150
so let's go into permissions.

132
00:06:16,150 --> 00:06:18,270
So if we go into permissions

133
00:06:18,270 --> 00:06:22,570
we can see that there is block all public access setting.

134
00:06:22,570 --> 00:06:25,720
And so this is on by default, and just to prevent

135
00:06:25,720 --> 00:06:29,400
any data leaks from AWS S3 into the world.

136
00:06:29,400 --> 00:06:31,670
And so we want to keep this on at all time

137
00:06:31,670 --> 00:06:34,110
unless we are running a public website

138
00:06:34,110 --> 00:06:36,010
and want to make the objects public.

139
00:06:36,010 --> 00:06:39,531
So we'll see how to do this in our future lecture.

140
00:06:39,531 --> 00:06:44,531
Also, we can define this block public access setting

141
00:06:46,030 --> 00:06:47,880
at my account level.

142
00:06:47,880 --> 00:06:49,570
To do so on the left hand side,

143
00:06:49,570 --> 00:06:53,250
I can do account settings for block public access

144
00:06:53,250 --> 00:06:56,740
and I can block all public access of all my buckets

145
00:06:56,740 --> 00:06:58,840
if I wanted to by taking this block.

146
00:06:58,840 --> 00:07:02,860
So this is one more level of security, okay?

147
00:07:02,860 --> 00:07:05,520
And then finally, for all my objects

148
00:07:05,520 --> 00:07:07,280
if I look at coffee.jpg,

149
00:07:07,280 --> 00:07:10,040
there is something called ACL or access control list,

150
00:07:10,040 --> 00:07:12,930
so I can scroll down access control list.

151
00:07:12,930 --> 00:07:15,150
And this is something I won't linger on

152
00:07:15,150 --> 00:07:16,420
because we're not using this

153
00:07:16,420 --> 00:07:18,760
and the exam really doesn't touch it.

154
00:07:18,760 --> 00:07:21,890
But access control list is a way for you to define objects

155
00:07:21,890 --> 00:07:24,540
read and writes at the object level.

156
00:07:24,540 --> 00:07:26,010
So as we can see right now,

157
00:07:26,010 --> 00:07:28,210
my accounts can read the objects

158
00:07:28,210 --> 00:07:30,620
and read rights, thanks to the ACL.

159
00:07:30,620 --> 00:07:32,330
Anyway, I won't linger on it

160
00:07:32,330 --> 00:07:34,270
because this is not very important for the exam.

161
00:07:34,270 --> 00:07:36,520
But just know that ACLs are another way

162
00:07:36,520 --> 00:07:39,613
to protect your objects in AWS.

163
00:07:40,550 --> 00:07:42,210
So that's it for this lecture,

164
00:07:42,210 --> 00:07:43,130
I hope you liked it.

165
00:07:43,130 --> 00:07:45,550
And I will see you in the next lecture.