|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
Amazon S3 is a REST service. You can send requests to Amazon S3 using the REST API or the AWS SDK (see STS Sample Code and Libraries), wrapper libraries that wrap the underlying Amazon S3 REST API simplifying your programming tasks.
Every interaction with Amazon S3 is either authenticated or anonymous. Authentication is a process of verifying the identify of the requester trying to access Amazon Web Services (AWS) product. Authenticated requests must include a signature value that authenticates the request sender. The signature value is, in part, generated from the requester's AWS security credentials.
If you are using the AWS SDK, the libraries compute the signature from the credentials you provide. However, if you make direct REST API calls in your application you must write the code to compute the signature and add it to the request.
The following sections review the types of security credentials that you can use to make authenticated requests.
When you create an AWS Account, AWS assigns the following credentials to you:
Access Key ID (a 20-character, alphanumeric string). For example: AKIAIOSFODNN7EXAMPLE
Secret Access Key (a 40-character string). For example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
The Access Key ID uniquely identifies an AWS Account. You can use these AWS Account credentials to send authenticated requests to Amazon S3.
You can create one AWS Account for your company, however, there may be several employees in the organization who need access to your organization's AWS resources. Sharing your AWS Account credentials reduces security, and creating individual AWS Accounts for each employee might not be practical. Also, you cannot easily share the resources such as buckets and objects because they are owned by different accounts. To share resources, you must grant permissions, which is additional work.
In such scenarios, you can use AWS Identity and Access Management (IAM) service to create users under your AWS Account with their own security credentials (Access Key ID and Secret Access Key) and attach IAM user policies granting appropriate resource access permissions to them. To better manage these users, IAM enables you to create groups of users and grant group level permissions that apply to all users in that group.
These users are referred as IAM users that you create and manage within AWS. The parent account controls a user's ability to access AWS. Any resources an IAM user creates are under the control of and paid for by the parent AWS Account. These IAM users can send authenticated requests to Amazon S3 using their own security credentials. For more information about creating and managing users under your AWS account, go to AWS Identity and Access Management (IAM).
In addition to creating IAM users with their own security credentials, IAM also enables you to grant temporary security credentials to any user to enable them to access your AWS services and resources. You can manage users in AWS. These are referred as IAM users. You can also manage users in your system, outside AWS. These are referred as federated users. Additionally, users can also be applications that you create to access your AWS resources.
IAM provides the AWS Security Token Service (STS) API for you to request temporary security credentials. You can use either the AWS STS API or the AWS SDK to request these credentials. The API returns temporary security credentials (Access Key ID and Secret Access Key), and a security token. These credentials are valid at most for the duration you specify when you request them. You use the Access Key ID and Secret Access Key credentials the same way you use them when sending requests using your AWS Account or IAM user credentials. In addition, you must include the token in each request you send to Amazon S3.
An IAM user can request these temporary security credentials for their own use or hand them out to federated users or applications. When requesting temporary security credentials for federated users, you must provide a user name and an IAM policy defining the permissions you want to associate with these temporary security credentials. The federated user cannot get more permissions than the parent IAM user who requested the temporary credentials.
You can use these temporary security credentials in making requests to Amazon S3. The API libraries compute the necessary signature value using those credentials to authenticate your request. If you send requests using expired credentials, Amazon S3 denies the request.
For information on signing requests using temporary security credentials in your REST API requests, see Signing and Authenticating REST Requests. For information about sending requests using AWS SDKs, see Making Requests using AWS SDKs.
For more information about IAM support for temporary security credentials, go to Granting Temporary Access to Your AWS Resources.
For added security, you can require MFA authentication when accessing your Amazon S3 resources. You can do this by configuring a bucket policy (see Adding Bucket Policy to Require MFA Authentication). After you require MFA authentication to access your S3 resources, the only way you can access these resources is by providing temp credentials that are created with an MFA key. For more information, go to AWS Multi-Factor Authentication detail page and Configuring MFA-Protected API Access in the AWS Identity and Access Management Using IAM guide.
AWS Accounts and IAM users have Access Key ID and Secret Access Key security credentials.
Your Access Key ID and Secret Access Key are displayed when you create your AWS account. They are not e-mailed to you. If you need to see them again, you can view them at any time from your AWS account.
Go to the Amazon Web Services web site at http://aws.amazon.com.
Click the Account tab.
Click Security Credentials.
If you have not already signed in, Sign In or Create an AWS Account page displays. You must sign in before you can see your AWS account security credentials.
Your access credentials, Access Key ID and Secret Access Key, are displayed on the resulting Security Credentials page.
An AWS Account owner creates IAM users under its account. When the owner creates an IAM user under its account, the account owner gets to download the IAM user credentials (Access Key ID and Secret Access Key). The account owner can then provide these credentials for others to use. The IAM user can then use these credentials to send requests to Amazon S3.
Each IAM user needs a password to connect to the AWS Management Console. For more information, go to How does a user sign in?.
You request temporary security credentials programmatically. You can view them only when they are created.
You send REST requests to the service's predefined endpoint. The Amazon Web Services General Reference lists AWS Services and the corresponding endpoints. For information about Amazon S3 regions and endpoints, go to Regions and Endpoints.