Amazon AWS Certified Security Specialty – Domain 4 – Identity & Access Management part 14
- Canned ACL’s
Hey everyone and welcome back. In today’s video we will be discussing about canned ACL and we will look into its importance as far as the Cross account HC bucket policies are concerned. So let’s go ahead and begin understanding about cand ACLs. Now as the initial start just to have a right base, we should remember that every bucket and the objects that we upload within that bucket has an ACL which is associated with them. Now, whenever a request is received to the object within s Three bucket, AWS s Three will check the ACL which is associated with that object and depending upon the ACL, it will either allow or it will block the request. Now, one important part to remember over here is that whenever we create a bucket or an object, AWS s Three by default will grant the resource owner full control of that specific resource.
Very important to understand. So let’s do one thing, let’s go ahead and understand this pointer before we go ahead with our next slide. Now within the AWS. S three API. Documentation. You have a command of get bucket. ACL. So this command will basically will show you the ACL which is associated with the object within the SD bucket. So we were already seeing that every object has an ACL which is associated with them. So in order to see what exactly that ACL looks like, we can run this specific command. So let’s go to our terminal and execute this command. So I’ll do an AWS s Three API get object ACL hyphen bucket. The bucket name would be kplabs demo crossover. Now we’ll also specify the key. So key is demo TXT. So this is the file which is which we had uploaded within our SC bucket and we’ll run it with a profile of accounting.
Now within this, if you look into the permission, the permission is full control. We have already discussed this within the slide where whenever you upload an object, AWS s Three will grant a full control permission to the resource owner. And this is something that you see over here. So you have a full control and the display name is Team Fantastic. So Team Fantastic is basically the account A and the account A has the full control of this specific object. Now, if you look into the Cross TXT which we had uploaded it with a different account. If you try to run this command, it will say as access denied. So basically you have to run this command with the resource owner who created this specific file. So we know that cross TXT was created by the IAM users access secret key which belongs to the account B.
And this is the reason why within the profile we need to select account B because this account B is the resource owner. So let me press enter. And now if you will see over here the permission is full control and to whom the full control is given, it is given to the Modai Rapangeri. Basically, this is the account B. And this is the reason why account A principal is not able to access this specific file. It gives permission denied because the objects ACL has full control only for the account B principal. So account A does not really have any permission. And this is one of the very common occurrences that you will find whenever you are dealing with a cross account s Three bucket access. So with the basic set, let’s go ahead and understand about canned ACL.
So basically, AWS S three supports a predefined grants to an object and that is through the canned ACL. So we have already discussed that every object has an ACL which is associated with it. So whenever we upload an object to S three, we can set a predefined permission or predefined ACL with that SV bucket. So that predefined set of permission can be done through canned ACL. Now, these canned ACL can be specified in the request using the Xamz ACL header. So there are a lot of canned ACLs. So these are some of the examples of canned ACS. One of the interesting ones that we are looking forward for is the bucket owner full control. So if you will see over here the description, both the object owner and the bucket owner gets full control over the object.
This is very important because if you are uploading an object from a different account to a S three bucket which is in the different account, what you would need is both the object owner and the bucket owner should get the full control. Now, currently, since the bucket owner so in cross dot TXT, since the bucket owner does not have a full control and only the object owner has full control, this is the reason why we are getting the permission denied whenever we try to perform operation through the account A resource. So what we basically have to do is any file that we upload to the S three bucket which does not belong to our AWS account, we need to make sure with that the ACL associated with that object has the bucket owner full control access. So this can be easily achieved. So let’s do one thing.
Let’s go to a terminal and I will create a file, I’ll say canned TXT and within this I’ll say the practical solution. All right, now, we will upload this specific file with the access and secret key of the account B and we’ll look into how exactly it would work. Now, in order to do that, what I’ll do, I’ll do AWS S Three CP will specify the canned TXT. We’ll upload it to KP labs. Hyphen democrat. Along with that we will specify with the ACA. So basically, we need to specify the bucket owner full control access. So I’ll say bucket owner full control. So this is the access permission that we are giving to this canned TXT and the profile through which we will be uploading, this object would be account B. Perfect.
So now the can TXT has been uploaded to the KPIs demo crossover bucket with the access and secret key which belongs to the account b. So if you quickly do A, let me quickly do s three API. So this is the command and if I press enter so this was for the cross TXT. Now I will run the same command this time for the Cand TXT. Now within the canned. TXT file, you will now see that both the Dipanji Mudoy account so this is the account B. Account B has a full control and then account A, which is Team fantastic, also has full control. So both the account A and the account B has full control over the specific object that was uploaded. And this is the reason why it is very important to understand that if you are transferring a file to an s three bucket which does not belong to your account, you have to specify a specific ACL which will grant the bucket owner also the access to the object that you are uploading.
- Understanding Signed URL’s
Hi everyone and welcome back to the Knowledge Put video series and it’s really good to see that. Now we have reached the stage where we can talk about the presigned URLs. So all of these are one of the, I would say intermediate or advanced features of S Three and very very important and are used by a lot of companies out there. So let’s look at into the use case as usual on where pre and URLs will be required. So again, we have a company called Def. So we are actually following the ABCDEF based convention three characters. And we have a company called Des, which is an online music selling company. Now, once a user purchases a song, he should be able to download the song. Your company has decided to store all of its song data in SG due to its highly durable option.
So how will you go ahead with this scenario? Now, a very simple use case, something very similar to itunes where you purchase songs and once you purchase songs you will be able to download them in your phone. So, a very simple use case, but the challenge is that you want to implement this when the data is in S Three. Now, how can a user download the data from your S Three? Now, we already looked into the permission aspect where first, either a user can download if he has an im policy. Second, the user can download if the S Three bucket has bucket policy. Bucket policy may either you can allow the IP address or you can allow based on anonymous access. So anonymous access cannot work. IP address also cannot work because let’s say user switches from one WiFi to different WiFi, then the bucket policy will actually not work.
So how exactly can you achieve this particular use case? Let’s understand well, let’s look into the basic where generally in S Three all the objects in S Three are stored as private by default. Now, the question is, how will you share that private content to a specific user? So let’s say you have some kind of, I would say a text file which you want to share with your friend and that text file is basically in your S Three account and you don’t really want to do all those imbased business. So very simple thing is with the help of signed URL, so what object owner can do is he can create a signed URL which has a time limited permission. So you give that signed URL to your friend and once the friend opens that URL, he will be able to access that particular object. And the best part about the signed URL is that the URL will expire after the predefined time.
So with signed URL, what you can do is you can achieve this particular use case where after a user purchases a song and requests for download. So when he clicks on the download button, what application will do is application will generate a presigned URL that will allow the MP3 to be downloaded. Now if a user decides to share this particular URL to the public the URL will expire after five minutes or whatever time interval that you set. So even if the user shares this particular URL, the URL will be expired after predefined amount of time. And this is the best thing about the presigned URLs that you do in S three. So going back to our favorite labs, let’s see on how we can achieve this particular scenario. So let’s go to the KP finance bucket and generally when you just click and open you are able to see this particular text document.
Now let me show you some interesting thing. So the reason why you’re able to see this is because this URL is basically a signed URL. So let me just show you this. So the entire URL that you see over here, I’ll copy this. Let me have an online text editor, let me paste this URL. So this is the URL that is present over here. So what this is basically this is a pre signed URL. Now if you give this particular URL to a friend who does not have any AWS account he will be able to open this particular URL. So if you just want to verify, let me just open my opera browser and I’ll open a new private window and let me just paste this URL and if I open this UC you will be able to open this URL even if you don’t have an AWS account or the bucket policy is not there. So let’s explore on what this particular presigned URL is.
So a very big URL that you will see over here. So basically what is there is this is a private content and now if you want to share it among few people you can take this presigned URL and you can give it to the users and they will be able to open this particular file. So talking about the format of this presand URL, quite a long one so let’s just divide it. So this is one of the headers which is X AMZ date. Let’s go to the next header which is expires. Then we have different headers which are present over here. Just a moment, there are quite good amount of headers which are present. Okay so this is the bucket URL which is Kplabsfinancefinance TXT. So this is something that we know now we have the Amazon date and followed by the expiration time. So what this particular means is that this particular signed URL will expire after 300 seconds.
Note that it also contains your access key. So this is the access key of the user which has generated the signed URL. Now if you just copy this up let me just copy this up and let me paste it in. I should be doing these things in Google. Google is much more better so the first thing that you will see over here is the format of the signed URLs. So this is something similar that we had extracted from the URL. And if you will go over here there are a lot of query string parameters that you will find. Now one thing that we are interested in is X AMC Expires header. So let me go a bit down. And this is the header that we were talking about. So it says that it provides a time period in seconds for which the generated presence URL is valid. And this is the amount in seconds.
That means that this Uri or this particular header which says 300. So this signed URL is basically valid only for five minutes and after five minutes if I try to access this particular URL, it will not work because it has expired. Okay, quite simple thing, let me just paste it for the future reference. Now the question is, do you have to manually like do open and get the presend URL? And the answer is not really. You can actually generate your own presend URLs with your custom specific time interval. So let me do one thing. What I’ve done is let’s go to the Linux machine, okay? And what I have done is basically I’ve installed the Amazon CLI over here. Let me just verify if it is there. Okay, it is there. So Amazon basically allows through CLI to generate a custom predefined signed URLs.
So if you just want to verify this, let me AWS s three let me just open up the Google for reference. AWS three pre signed I hope this is the correct path s three CLI. I should have clicked on the s three portion where let me check if I can find and yes, this is one of the available commands. If you’ll see over here and the syntax is AWS s three followed by pre design and you have to give the s three Uri and expires in followed by value. Okay, so let’s try this out. So AWS s three prezign followed by the Uri which is say finance. This would be bucket name slash finance TXT. So this is the object name and it has expires in. So I’ll say hyphen expires hyphen in followed by the value. So let me give the value of 600 seconds.
And now if you will see it has generated a presigned URL. Now this is the presigned URL which is valid for 600 seconds. So let me just copy this up, let me try and open it in my Linux browser and let’s check if I am able to open the particular text file and you see I am able to do that. So after 600 seconds this URL will be invalid and the user will not be able to open this particular file. Now one thing that I wanted to show you is that if you’re wondering on how did I do that so what happens in Linux is you need to configure your access and secret key. So if you run an AWS configure command you need to put the AWS access key followed by the AWS secret key and once you do that then you will be able to run this particular command. Now if you are unaware on where do you get your access and secret key from? Basically it is your IAM keys.
So what I have done is I basically generated the access and secret key for the anti user. So if you go to the secret security credentials this is the access key which I generated. So all you have to do is you need to create the access key over here and this will basically give you access key and this is the secret key. You paste this in the Linux console and you are ready to run the AWS CLI. So this is the basics about the presidency URLs. Now most of the companies there have started to use presigned URL in their regular operations of making private object downloadable to the users. So this is the basic about the presigned URL. I will encourage you to practice this lab once and if you have any questions feel free to connect to us on email as well as on social. I hope this has been informative for you and I’d like to thank you for viewing.
- S3 – Versioning
Hey everyone and welcome back to the Knowledge Portal video series. Now, in today’s lecture we will be speaking about s three versioning. Now, I decided not to make slides because I have been quite lazy and bored to make slides for every chapter. So this time I decided to directly do the practical and this is very straightforward and I hope it will be understood by all of you. So we will be speaking about versioning. Now, in order to understand, I’ll directly show you the demo so that you will understand it directly. So in order to enable versioning for a particular s three bucket if I just click on properties over here and select Versioning. You see there is versioning which is in the suspended mode I’ll enable the versioning over here and I’ll click on Save. Now let me go back to AWS s three.
I’ll go inside. Now, what I will do is there is a file called finance TXT which is created. Now let’s do one thing. I will go to my desktop and I’ll create a file called as let’s say important TXT and I’ll echo this is important file and I’ll put it to important TXT. So if I just do a quick chat on this you can see this is an important file. Now let’s do one thing. Let me upload the important TXT that we had just created. You see this is important file. You can see I click on upload. Perfect. So the file has been uploaded. Now let’s assume this is an important document and it contains a lot of your data. Now, there are always chances that even you might have gone through that you overwrite your files.
Now due to some reason, let’s assume that genuine system administrator by mistake Lee, he had a similar file with this name and he uploaded the same file over here. So let’s take this specific scenario. Now, I’ll just say new file and I’ll echo it to important. TXT. Now, if I’ll upload the same file, let’s assume that I have uploaded the same file by mistake. You see the contents is new file and let me click on upload. So in the idle scenario what will happen is the file will get replaced or the file will get overwritten and in such scenarios it is very difficult to retrieve the older file back. However, if versioning is enabled then you can have multiple versions of this specific file. So let me show you. If you see in the version currently it is hidden, I can click on Show. Before I do that, let me just open up the file.
I’ll click on open and if you see the older contents were replaced by the newer content. Now let’s go back to the bucket and I’ll click in the version, I’ll click on Show. Now what you will see over here is in the important TXT file there are two versions which are available. It also tells you the time at which each of the object was uploaded. So it this was uploaded at 1225 and this was uploaded at 1226 and it is also showing that this is the latest version. Now if I just click here into the older version and I click on open, you will actually find the file which is of the older version. So even if you upload a file with the same name in the s three bucket, provided the S three versioning is enabled, then you will be able to retrieve the older file whenever you want. And this is very important to remember.
So this is the basic about s three versioning. Now many times what system administrator decides to do is they decide to upload their log files like Varlock secured to a s three bucket. Now what generally happens is let’s assume they upload the same file secured to a same s three bucket on a daily basis. So if versioning is enabled then for each day you will be able to find the log file in the s three bucket. So this is a very useful feature and this is something which makes AWS S three a truly unique storage based service. So I hope the versioning feature has been understood by you. Go ahead and practice this one so that you can understand more about versioning works. So this is it, about this lecture. I hope this has been useful for you and I look forward to seeing you in the next lecture.