I maintain my personal website, jackamoratis.com, on an AWS EC2 instance. A standard security measure is to transfer copies of server logs off of the server itself so that they could be studied later if the server were ever compromised. Being on AWS, I have set up an automated system that copies my logs into an S3 bucket. This involved establishing an S3 bucket and then composing a security access policy. I didn’t want to allow anyone in the world to upload content to my bucket. Also, in the event of an attack on my server, I wouldn’t want the attackers to be able to delete the logs. So I needed a one way solution that gives my server the power to upload logs, but not to delete them.
My main resource was Amazon’s guide to the syntax of writing access policies:
A pre-requisite is that you have already set up a bucket and allowed “All authorized users” to access it.
Here is what I did:
1. Go to AWS management console
2. Select “Identity & Access Management
Access Control and Key Management”
3. Click on user -> Create new user
4. Enter username and click create
5. Download the credentials. It would be easy to overlook this step if you have not done this before. But it’s important because it’s the only time you will get your Secret Access Key (a long string of characters.) We’ll use these credentials later.
6. Select Policies from the menu on the left.
7. Up top, click Create Policy
8. Copy an AWS managed Policy
9. In the ‘Search Policies’ box, type in S3. You will see two results (at least at the time of this writing): AmazonS3FullAccess and AmazonS3ReadOnlyAccess
10. Select the first one (AmazonS3FullAccess)
11. Provide a new policy name (such as “AmazonS3PutOnlyAccess”)
12. Provide a description (such as “Policy for log uploads only.”)
13. In the “Policy Document” section, we see some JSON. This is where we need to do the customization that actually gives us an “upload only” policy. We see some JSON in the text box:
Right now, Action contains s3:*. We could have many different kinds of actions, including some that deal with EC2 instances, others that deal with glacier storage, and so on. In this case, we’re addressing what actions can be done with S3. Right now there is an asterisk (*). We simply need to change that from “s3:*” to “s3:Put”
Taking a step back, we see that different possible s3 actions include: list, get, put, etc. An asterisk means that any of these are valid. But we are free to define one or more subsets (separated by commas if more than one.) In our case, we want to allow a single possible action, namely, to Put.
Now that we’ve created our policy…
– we need to go back to Users
– Select the user
– Scroll down to “Attach Policy”
– Use the searchbox to find our newly created policy
– Select the policy and attach it
Now we need an upload script. I modeled my own on this script. You will see at the top where you can include s3key and s3secret.
You can then place this script into one of your cron folders in /etc such as /etc/cron.weekly to have it regularly upload your logs. I actually have my script set to upload a tar copy of all my logs and then clear them off local.