Day 67 - AWS S3 Bucket Creation Using Terraform

Day 67 - AWS S3 Bucket Creation Using Terraform

Misconfigured AWS S3 storage Bucket Enumeration | Blog

Amazon Simple Storage Service (Amazon S3) is an object storage service that offers industry-leading scalability, data availability, security, and performance. You can use Amazon S3 to store and retrieve any amount of data at any time, from anywhere.

Amazon S3 lets you manage your data via the Amazon Console and the S3 API.

Amazon S3 automatically creates multiple data replicas, so it is never lost.

1. Create an S3 bucket using Terraform

Step 1: Create a terraform.tf, where we have to pass on AWS provider details.

terraform {
  required_providers {
    aws = {
      source = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

Step 2: Add a provider.tf and add details about AWS Region that you are using.

provider "aws" {
  region = "us-east-1"
}

Step 3: Create a s3.tf file and inside aws_s3_bucket resource creates a new S3 bucket, my_bucket is a unique identifier.

resource "aws_s3_bucket" "my_bucket" {
  bucket = "my-demo-bucket-021"
}

Step 4: Run the terraform init command to initialize the working directory and download the required providers.

Step 5: Once you initialize all the plugins required for AWS, now execute the terraform plan which will create an execution plan by analyzing the changes required to achieve the desired state of your infrastructure.

Step 6: Finally, use the command terraform apply it will apply the changes to create or update resources as needed.

Step 7: Check whether the bucket is created in the AWS S3 bucket.

2. Configure the bucket to allow public read access

As the S3 bucket is created which is Private only, to allow public read access to the S3 bucket, the code creates an ACL (access control list) resource using the “aws_s3_bucket_acl” resource type.

Step 1: You have to give permissions for your IAM user. Go to IAM console and select your user. In Permission policies click on create inline policy for user.

This policy can be used to grant users the ability to update the S3 bucket policy for a specific bucket. This can be useful for scenarios where you need to allow users or roles to make changes to the bucket policy, such as adding or removing permissions.

Step 2: Create a file access.tf, the resource is associated with the S3 bucket resource "aws_s3_bucket.my_bucket" using the "bucket" parameter. The "acl" parameter is set to "public-read", which allows public read access to the bucket.

resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = aws_s3_bucket.my_bucket.id

  policy = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "PublicRead",
        "Effect": "Allow",
        "Principal": "*",
        "Action": ["s3:GetObject"],
        "Resource": [
          "arn:aws:s3:::my-demo-bucket-021/*"
        ]
      }
    ]
  }
  EOF
}

resource "aws_s3_bucket_public_access_block" "pem_access" {
  bucket = aws_s3_bucket.my_bucket.id

  block_public_acls = false
  block_public_policy = false
  ignore_public_acls = false
  restrict_public_buckets = false
}

Step 3: Now change the object Ownership by enabling “ACL enable” in the S3 Bucket “Edit Object Ownership”. Go to Bucket you created > Scroll below you will find "Object Ownership" in permissions tab.

Step 3: Run the terraform init command to initialize the working directory and download the required providers.

Step 4: Once you initialize all the plugins required for AWS, now execute the terraform plan which will create an execution plan by analyzing the changes required to achieve the desired state of your infrastructure.

Step 5: Finally, use the command terraform apply it will apply the changes to create or update resources as needed.

Step 6: Now the S3 Bucket is publicly accessible.

3. Create an S3 bucket policy that allows read-only access to a specific IAM user or role

To provide read-only access to a specific IAM user or role, the code creates an S3 bucket policy resource using the “aws_s3_bucket_policy” resource type. The resource is associated with the S3 bucket resource “aws_s3_bucket.my_bucket” using the “bucket” parameter.

Step 1: Create a file iam.tf and inside "aws_iam_policy_document" provide the details of the IAM user ARN. Inside the action provide the details like "s3:GetObject" and "s3:ListBucket". And in the resources add the bucket details including the IAM User arn.

resource "aws_s3_bucket_policy" "bucket_iam_policy" {
  bucket = aws_s3_bucket.my_bucket.id

  policy = <<EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "PublicRead",
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::459840383823:user/Terraform-user" #change access "*" to specific IAM user
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::my-demo-bucket-021/*"
      }
    ]
  }
  EOF
}

Step 2: Run the terraform init command to initialize the working directory and download the required providers.

Step 3: Once you initialize all the plugins required for AWS, now execute the terraform plan which will create an execution plan by analyzing the changes required to achieve the desired state of your infrastructure.

Step 4: Finally, use the command terraform apply it will apply the changes to create or update resources as needed.

Step 5: S3 bucket policy is created that allows read-only access to a specific IAM user.

4. Enable versioning on the S3 bucket

S3 bucket versioning is a feature in AWS S3 that enables the preservation and tracking of multiple versions of an object. It provides an added layer of data protection, allowing you to recover and restore previous versions of objects stored in an S3 bucket.

Step 1: In the s3.tf file adds the versioning block is included, with enabled set to true.

resource "aws_s3_bucket" "my_bucket_version" {
  bucket = "my-demo-bucket-021"
  versioning {
    enabled = true
  }
}

Step 2: Run the terraform init command to initialize the working directory and download the required providers.

Step 3: Once you initialize all the plugins required for AWS, now execute the terraform plan which will create an execution plan by analyzing the changes required to achieve the desired state of your infrastructure.

Step 4: Finally, use the command terraform apply to make the bucket versioning enabled.

Step 5: Now we can verify in the S3 Bucket that Bucket Versioning has been enabled.

Step 6: Once you are done with the newly created instance we can use terraform destroy command which will delete the complete infrastructure.

Conclusion

In conclusion, utilizing Terraform to create an Amazon S3 bucket streamlines the process by providing infrastructure as code capabilities. This approach offers numerous advantages, including version control, reproducibility, and automation, thus enhancing scalability and reducing human error.

With Terraform, configuring and managing S3 buckets becomes more efficient and standardized, contributing to a more robust and manageable cloud infrastructure.

Hope you find it helpful🤞 So I encourage you to try this on your own and let me know in the comment section👇 about your learning experience.✨

👆The information presented above is based on my interpretation. Suggestions are always welcome.😊

~Smriti Sharma✌