By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

My bucket objects need to be TLS 1.2 or later

0

Hello all. I'm really new to AWS and trying to learn quickly but feeling a bit lost with this one sorry. I have a website hosted with Siteground that i embed mp4 movies to watch within my pages/articles. I upload member video content to my amazon bucket and then have a bucket permission policy that only allows visitors that are already on my website to play these videos. I don't fully understand it and believe it is quite old but it works really, really well and effectively.

I then copy the movie file url from my bucket into my website page and it stops anyone who isn't visiting my website url from watching these videos.

Apologies if it is horrifyingly unsecure and bad but I would love to know if this needs changing and is the reason I am getting emails saying I have objects in my buckets that need updating to TLS 1.2 or later.

Or do I keep this and need to add something further to make me compliant for the TLS 1.2 standards and will they work together OK?

Could someone please kindly help me understand what i need to do for my buckets that would still only allow my website visitors to watch my AWS stored video files if they are only on my domain URL for the website?

The permission I added to my buckets is this and it works just as I want but I am getting emails from Amazon saying my objects need to support TLS 1.2 later and I honestly don't understand this at the moment as my knowledge isn't there yet.

{ "Version": "2008-10-17", "Id": "Policy141436833278", "Statement": [ { "Sid": "Stmt1414368595009", "Effect": "Allow", "Principal": { "AWS": "" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket-name/", "Condition": { "StringLike": { "aws:Referer": "https://www.my-domain.com/*" } } } ] }

Sorry if I am in over my head and my naivity is laughable. I'm know I'm punching above my weight at the moment with AWS but see a real benefit in it for us if I can just get up to speed with learning its potential better.

Thanks to anyone reading this and apologies if I am the classic stereotype of a clueless fool.

Bob

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceStorageIAM Policies
Language
English
BobRoberts
asked 9 months ago232 views
2 Answers
2
Accepted Answer

It is my pleasure to help nice people like yourself. The good news is that your S3 buckets are already TLS 1.2 compliant. This is really referring to the client. The clients which are connecting to S3 are out of date and are not communicating using the latest standards, like TLS 1.2. So you need to review the website in Siteground and make some updates to the software that is connecting to the bucket. For example, if you are using AWS SDK or CLI, then these should be updated to the latest version.

Hope this helps, if so please accept this answer.

profile picture
Bryant Pollard
answered 9 months ago
  • BobRoberts
    9 months ago

    Thanks Bryant This original answer above and the brilliant follow up comment from you below really did help me understand things better thanks. I was feeling like I didn't fully understand what was needed but you have given me some great insight and knowledge thanks. I will give things a try and come back to you if it works for me. Bob

0

Thank you for getting back to me so quickly and so clearly Bryant. I really appreciate both aspects as someone who is very new to this giant environment. Thank you. Thanks for reassuring me that I seem to be all good at my bucket and S3 level here. If I am understanding your reply properly are you saying that it is my website with Siteground that is causing these emails to me and my changes need to be done on that side? I know no shame or have no embarrassment with how I run my website and think honesty is always the best policy. It is certainly always the funniest I find and the laugh is usually at my expense... So here goes with further confessionals. Our website is currently running Joomla 3.x and PHP 7 but is finally due to migrate to Joomla 4 and PHP 8 in the next 10 days. Are these the kind of upgrades and changes that will stop these issues going forward where you say: "The clients which are connecting to S3 are out of date and are not communicating using the latest standards, like TLS 1.2. So you need to review the website in Siteground and make some updates to the software that is connecting to the bucket"?

"For example, if you are using AWS SDK or CLI, then these should be updated to the latest version." - This part has thrown me sorry as i am not knowingly aware I am using these but have seen them referenced in other emails or posts. Should I be using them and do they need particular skills to learn?

All I do is (and again feeling awkward and simplistic) upload my videos to my bucket through AWS console. Copy the video URL to my clipboard. Create a Joomla article in my website and enclose the URL within curly brackets for a video player joomla extension I have installed in my site. That's my box of chocolates! When we talk clients are we meaning software like Joomla, PHP and maybe the video player extension or people visiting my site not having the latest browser or some such? I'm thinking more my website software is the client here and will updating the website CMS and extensions bring me up to speed and be where I need to be? Thank you so much for your patience, understanding and humility so far and I do apologise for not being better with my knowledge. As in having none whatsoever. I realise the AWS re:Post community is going to be benefitting me far more than I can possible benefit back.

Bob

BobRoberts
answered 9 months ago
  • Bryant Pollard
    9 months ago

    Yes the issue is on the client side, so it is likely related to your website. Upgrading PHP to a new version is certainly a good idea. I've never coded in PHP so I can't be certain this will resolve the issue.

    I read your reply carefully and can now see that you're probably not using the AWS SDK or CLI to perform the uploads. So you don't need to worry about this to solve the TLS 1.2 issue.

    The "client" is exactly as you have mentioned. It is anything requesting videos, content, etc from the S3 bucket. These clients must be using TLS 1.2 to resolve the issue.

    As a debugging technique, you could consider changing the S3 bucket policy and require that all request using TLS 1.2 or higher. If you make this change, it will deny requests that are not TLS 1.2. This means it could break something. But this also provides a clue. Whatever stops working is the part the needs updating.

    Here's a post describing how to adjust the bucket policy: https://repost.aws/knowledge-center/s3-enforce-modern-tls

    I suggest making a backup of any S3 polices that you change so you can roll back to the original and keep your site operational.

  • BobRoberts
    9 months ago

    Thanks again Bryant Really good advice and I really appreciate your time to reply. I'm going to give this a go with the policy changes and post link you provided too.

    I did confess to being a newbie here and I now want to ask something else about these posts please? Have I been a total bozo and submitted my reply to you as an answer? Have I managed to stuff up the way the threads work Bryant sorry? I'm seeing I can accept my 'Answer' that was really a question and then your brilliant help is kinda nested on my question. Have I made a mess of things even asking for help too? Oh my oh my. This could be embarrassing for me hey? :) I realise that you should get the thanks and any reward points for helping me Bryant so please let me know how.

    I don't want you thinking this is a post you regret stumbling upon.

    Thanks

    Bob

  • Bryant Pollard
    9 months ago

    Hi Bob. You did fine. I was able to follow and hopefully you'll be able to resolve your issue. If you'd like to help me with rewards points, simply "Accept my Answer" on the first shared answered that I provided. Also give it a thumbs up. Much appreciated! Bryant

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content