Secret access key?

0

A company trying to send me my data says I need to provide the following things: AWS_Access_Key_ID:
AWS_Secret_Access_Key:
AWS_Region:
AWS_Bucket:

I have region and bucket, and I have also created a key ID connected to the bucket. I cannot figure out what secret access key means and how to make one. Please help

4 Answers
0
profile pictureAWS
EXPERT
David
answered 3 months ago
0

Hi,

You must never share your AWS_Access_Key_ID & AWS_Secret_Access_Key with anyone. It can result in your account being compromised. In case you want the other company to share data with you through S3 , you can use S3 pre-signed urls , which grants time limited access to your s3 bucket. Link to documentation :

https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html

Cheers! Prince Arora

profile picture
answered 3 months ago
0

Hi englishtiger2011,

Why does the company need to upload data to your S3 bucket?

Do you happen to know if this company is using AWS as well? If they do, I would advise you to create an IAM role in your account with the least amount of privilege needed to get the job done. The company would then have to assume your role and perform the necessary actions.

The other option here, if they are not on AWS is to use presigned URLs [1]. Requires a bit more plumbing, but much more secure that providing IAM user credentials to an external party.

[1] https://docs.aws.amazon.com/AmazonS3/latest/userguide/PresignedUrlUploadObject.html

Hope this helps.

Kind regards, Andrei Scorus

AWS
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago
0

Mornin' englishtiger2011,

I'm in total agreement with Prince and Andrei - I would be very hesitant on giving out key pairs for an IAM User to a 3rd Party. However, that is not to say that they don't have legitimate need for them.

Do push back and ask why they need this, and if they have an AWS account of their own then why can't they use a user or role from that account to to the data transfer to S3? I would go a step more restrictive than Andrei and wouldn't make a role for them to assume in my account - I would instead add a statement to your S3 bucket which specifically allowed one of their users or roles (you would use the ARN of the user or role) to make 'PutObject' calls to your bucket. That way they can essentially do a cross-account action. You can find a quick walk-through here, but there are more examples in the AWS docs to help you here.

If you do go down the route of giving them an IAM User and generating a key pair for them to use for this transfer, a few things to bear in mind:

  • Give them as little permission as possible. If they're using a key pair, then they don't need List or Get permissions, so only give the relevant Put permissions.
  • Be specific with the bucket that they can work with. There are loads of examples out there to help you with this.
  • Be sure to revoke the key pair and delete the user, once you're happy that they're done.
profile pictureAWS
answered 3 months ago
profile picture
EXPERT
reviewed 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions