1
00:00:00,240 --> 00:00:01,760
Okay, so now let's talk about

2
00:00:01,760 --> 00:00:03,530
Amazon as far as security.

3
00:00:03,530 --> 00:00:07,000
So it's very complex but first you have user-based security.

4
00:00:07,000 --> 00:00:10,010
So our IAM users have IAM policies,

5
00:00:10,010 --> 00:00:13,480
and they authorize which API calls should be allowed

6
00:00:13,480 --> 00:00:17,560
and if our user is authorized through IAM policy

7
00:00:17,560 --> 00:00:19,700
how to access our Amazon S3 bucket,

8
00:00:19,700 --> 00:00:21,980
then it's going to be able to do it.

9
00:00:21,980 --> 00:00:24,230
Then we have resource-based security

10
00:00:24,230 --> 00:00:28,010
and this is the infamous S3 bucket policies.

11
00:00:28,010 --> 00:00:31,400
They're bucket-wide rules that we can set in the S3 console

12
00:00:31,400 --> 00:00:35,370
and what they do is that they will say what principals

13
00:00:35,370 --> 00:00:38,010
can and cannot do on our S3 bucket.

14
00:00:38,010 --> 00:00:41,200
And this enables us to do cross account access

15
00:00:41,200 --> 00:00:42,510
to our S3 buckets.

16
00:00:42,510 --> 00:00:44,390
We'll do, in the hands-on, a very deep-dive

17
00:00:44,390 --> 00:00:46,110
on S3 bucket policies.

18
00:00:46,110 --> 00:00:48,261
Then we have object ACL, which is finer grain,

19
00:00:48,261 --> 00:00:52,500
where we set at the object level the access rule.

20
00:00:52,500 --> 00:00:55,220
And then finally bucket ACL, even less common,

21
00:00:55,220 --> 00:00:57,760
and these two don't really come up at the exam.

22
00:00:57,760 --> 00:00:59,470
Okay, notes.

23
00:00:59,470 --> 00:01:03,230
An IAM principal, so it can be a user, a role,

24
00:01:03,230 --> 00:01:07,840
can access an S3 object if the IAM permissions allow it,

25
00:01:07,840 --> 00:01:10,490
so that means that you have an IAM policy

26
00:01:10,490 --> 00:01:12,740
attached to that principal that allows access

27
00:01:12,740 --> 00:01:16,300
to your S3 bucket, or if the resource policy,

28
00:01:16,300 --> 00:01:19,530
so usually your S3 bucket policy, allows it.

29
00:01:19,530 --> 00:01:22,530
And you need to make sure there is no explicit deny.

30
00:01:22,530 --> 00:01:26,670
So if your user through IAM is allowed to access

31
00:01:26,670 --> 00:01:30,850
your S3 bucket but your bucket policy is explicitly denying

32
00:01:30,850 --> 00:01:32,120
your user to access it,

33
00:01:32,120 --> 00:01:34,642
then you will not be able to access it, okay?

34
00:01:34,642 --> 00:01:35,560
Okay.

35
00:01:35,560 --> 00:01:37,660
So now this is your deep-dive on S3 bucket policies.

36
00:01:37,660 --> 00:01:39,190
They're JSON-based policies.

37
00:01:39,190 --> 00:01:43,630
So JSON is a notation language, and so we have here

38
00:01:43,630 --> 00:01:47,800
a JSON bucket policy and this bucket policy here

39
00:01:47,800 --> 00:01:51,180
allows public read on our S3 buckets.

40
00:01:51,180 --> 00:01:54,050
So as we can see, it says effect allow,

41
00:01:54,050 --> 00:01:56,020
principal star, so anyone,

42
00:01:56,020 --> 00:01:58,120
the action GetObject,

43
00:01:58,120 --> 00:02:01,110
on the resource, examplebucket slash star.

44
00:02:01,110 --> 00:02:04,512
So on any objects within my S3 bucket.

45
00:02:04,512 --> 00:02:06,860
So this is great, this allows public access

46
00:02:06,860 --> 00:02:08,203
to our S3 buckets.

47
00:02:08,203 --> 00:02:11,538
So these bucket policies can be applied to your buckets

48
00:02:11,538 --> 00:02:13,800
and objects, so both.

49
00:02:13,800 --> 00:02:18,680
The actions is they allow a set of API to allow or deny.

50
00:02:18,680 --> 00:02:19,930
The effect is allow or deny,

51
00:02:19,930 --> 00:02:22,240
the principal is the account or the user

52
00:02:22,240 --> 00:02:25,030
that this S3 bucket policy applies to,

53
00:02:25,030 --> 00:02:27,880
and so some common use cases for S3 bucket policies

54
00:02:27,880 --> 00:02:30,200
is to grant public access to a bucket

55
00:02:30,200 --> 00:02:33,370
or to force objects to be encrypted at the upload time,

56
00:02:33,370 --> 00:02:36,300
or to grant access to another account

57
00:02:36,300 --> 00:02:39,340
using cross account S3 bucket policies.

58
00:02:39,340 --> 00:02:41,240
So we'll do it in the hands-on, a deep-dive

59
00:02:41,240 --> 00:02:43,010
on S3 bucket policies.

60
00:02:43,010 --> 00:02:47,730
Then we have the bucket settings for block public access.

61
00:02:47,730 --> 00:02:49,970
So we've seen this in the hands of when we get started.

62
00:02:49,970 --> 00:02:52,490
So this was a new setting that was created

63
00:02:52,490 --> 00:02:55,220
to block objects from being public

64
00:02:55,220 --> 00:02:58,420
if the account had some restrictions.

65
00:02:58,420 --> 00:03:00,910
So here we have four different kinds

66
00:03:00,910 --> 00:03:03,670
of block public access settings.

67
00:03:03,670 --> 00:03:06,150
We have the new access control list,

68
00:03:06,150 --> 00:03:08,050
any access control lists,

69
00:03:08,050 --> 00:03:10,430
or new public or access point policies.

70
00:03:10,430 --> 00:03:13,200
So this is going to block objects and buckets

71
00:03:13,200 --> 00:03:15,280
from becoming public if they're granted

72
00:03:15,280 --> 00:03:17,570
through any of these methods,

73
00:03:17,570 --> 00:03:20,410
or you can block public and cross account access

74
00:03:20,410 --> 00:03:23,130
to buckets and objects through any public bucket

75
00:03:23,130 --> 00:03:25,060
or access point policy.

76
00:03:25,060 --> 00:03:27,881
So you don't need to remember these four different settings.

77
00:03:27,881 --> 00:03:30,703
It's just a summary in here.

78
00:03:30,703 --> 00:03:32,430
What you need to remember going into the exam

79
00:03:32,430 --> 00:03:36,012
is that there is a way to block public access

80
00:03:36,012 --> 00:03:38,930
to your S3 bucket through these settings.

81
00:03:38,930 --> 00:03:41,510
The exam will not test you on each of these settings, okay?

82
00:03:41,510 --> 00:03:43,780
These settings historically were created to prevent

83
00:03:43,780 --> 00:03:45,782
company data leaks because there were a lot of leaks

84
00:03:45,782 --> 00:03:50,460
of Amazon S3 bucket in the news and Amazon S3 came up

85
00:03:50,460 --> 00:03:53,360
with this way of making sure that any server could say,

86
00:03:53,360 --> 00:03:55,560
hey, none of my buckets are public, by the way,

87
00:03:55,560 --> 00:03:57,750
because of the settings, and that was very popular.

88
00:03:57,750 --> 00:03:59,600
And so if you know that your buckets

89
00:03:59,600 --> 00:04:02,530
should never, ever be public, leave these on.

90
00:04:02,530 --> 00:04:05,110
And there's a way to set these at the account level,

91
00:04:05,110 --> 00:04:07,320
as we'll see in the hands-on.

92
00:04:07,320 --> 00:04:09,440
Other securities in S3 you should know about.

93
00:04:09,440 --> 00:04:13,010
On the networking side, you can access S3 privately

94
00:04:13,010 --> 00:04:14,450
through VPC endpoints.

95
00:04:14,450 --> 00:04:16,899
So if you have EC2 instances in your EPC

96
00:04:16,899 --> 00:04:18,630
without internet access,

97
00:04:18,630 --> 00:04:20,829
then they can access S3 privately through

98
00:04:20,829 --> 00:04:22,790
what's called a VPC endpoint.

99
00:04:22,790 --> 00:04:25,690
For logging audit, you can use S3 access logs

100
00:04:25,690 --> 00:04:28,190
and they can be stored in the other S3 buckets.

101
00:04:28,190 --> 00:04:30,500
API calls can also be logged into CloudTrail,

102
00:04:30,500 --> 00:04:33,230
which is a service to log API calls in your accounts.

103
00:04:33,230 --> 00:04:35,930
For user security, you have MFA Delete,

104
00:04:35,930 --> 00:04:38,380
so multifactor authentication is MFA.

105
00:04:38,380 --> 00:04:41,065
In which case if you want to delete a specific version

106
00:04:41,065 --> 00:04:44,780
objects in your buckets, then you can enable MFA Delete

107
00:04:44,780 --> 00:04:48,170
and we will need to be authenticated with MFA

108
00:04:48,170 --> 00:04:50,017
to be able to delete the objects.

109
00:04:50,017 --> 00:04:52,870
Any finally, pre-signed URLs that we've seen briefly

110
00:04:52,870 --> 00:04:54,290
when we were opening that file

111
00:04:54,290 --> 00:04:56,160
and there was a very, very long URL,

112
00:04:56,160 --> 00:05:00,570
which is a URL that's signed with some credentials from AWS

113
00:05:00,570 --> 00:05:02,840
and it's valid only for a limited time.

114
00:05:02,840 --> 00:05:04,580
And the use case for it, for example,

115
00:05:04,580 --> 00:05:06,370
is to download a premium video

116
00:05:08,670 --> 00:05:10,800
from a service if the user is logged in

117
00:05:10,800 --> 00:05:12,530
and has purchased that video.

118
00:05:12,530 --> 00:05:15,290
So the idea here is that any time of the exam

119
00:05:15,290 --> 00:05:18,720
you see the access of certain files to certain users

120
00:05:18,720 --> 00:05:22,320
for a limited amount of time, think pre-signed URLs.

121
00:05:22,320 --> 00:05:24,280
So in the next lecture we'll do a hands-on

122
00:05:24,280 --> 00:05:27,100
on S3 security to see all these various options.

123
00:05:27,100 --> 00:05:29,000
So I will see you in the next lecture.