Video:

Understanding ACLs

March 19, 2018

Course Instructor: Elliot Forbes

Hey Gophers! My name is Elliot and I'm the creator of TutorialEdge and I've been working with Go systems for roughly 5 years now.

Twitter: @Elliot_f

We now have a handle on how we can upload and download items. It’s important now to take a step back and understand how we can ensure we are not exposing our incredibly private hello-world.txt file to the wider web.

In this video, we are going to cover ACLs or Access Control Lists as they are more formally known as and how we can use them to prevent unauthorized access to the contents of our buckets.

Secure By Default

By default, when you upload items to an S3 bucket, AWS assigns it a private ACL which basically means that only people with access to that AWS account and that S3 bucket will have the ability to download it.

In the previous video, we used the public-read Canned ACL to enable us to download this file from a browser with no additional security credentials in place.

Canned ACLs

When I talk about canned ACLs, I am talking about a pre-defined ACL that AWS has defined which has set of grantees and permissions in place. There are a number of different ones available to us which cover most of the general use-cases.

You can find out more about these canned ACLs here - ACL Overview

package main

import (
	"fmt"
	"log"
	"os"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/s3/s3manager"
)

func main() {
	fmt.Println("Understanding ACLs")
	sess, err := session.NewSession(&aws.Config{
		Region: aws.String("us-west-2"),
	})
	if err != nil {
		log.Fatal("Could not get session")
	}

	f, err := os.Open("05-understanding-acls/my-file.txt")
	if err != nil {
		log.Fatal("Could not open file")
	}
	defer f.Close()

	uploader := s3manager.NewUploader(sess)
	result, err := uploader.Upload(&s3manager.UploadInput{
		ACL:    aws.String("public-read"),
		Bucket: aws.String("go-aws-s3-course"),
		Key:    aws.String("my-file.txt"),
		Body:   f,
	})

	if err != nil {
		log.Fatal(err.Error())
	}

	log.Printf("Upload Result: %+v\n", result)

	f2, err := os.Open("05-understanding-acls/private.txt")
	if err != nil {
		log.Fatal("Could not open file")
	}
	defer f.Close()

	result, err = uploader.Upload(&s3manager.UploadInput{
		Bucket: aws.String("go-aws-s3-course"),
		Key:    aws.String("private.txt"),
		Body:   f2,
	})

	if err != nil {
		log.Fatal(err.Error())
	}
	log.Printf("Upload Result: %+v\n", result)
}