Uploaded image for project: 'IGB'
  1. IGB
  2. IGBF-2559

Investigate: How to restrict HTTP requests

    Details

    • Type: Task
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
    • Story Points:
      1
    • Sprint:
      Fall 3: Oct 12 - Oct 23, Fall 4 Oct 26 - Nov 6, Fall 5 Nov 9 - Nov 20, Fall 6 Nov 30 - Dec 11, Fall 7 Dec 14 - Dec 23

      Description

      We would like to increase our use of S3 buckets to provide data to IGB client application via HTTP.

      However, some people might be tempted to download the entire contents of a bucket using this same mechanism, which would be costly.

      Let's investigate: Is there a way that we could restrict HTTP requests to IGB only for an S3 bucket?

      For example, could we create some kind of filtering function or setting that would "greenlight" requests that meet some criteria, such as: the application making the request is IGB.

        Attachments

          Issue Links

            Activity

            Hide
            ann.loraine Ann Loraine added a comment -

            A new question for Chirag Chandrahas Shetty:

            To ensure that code running on a given host EC2, can we attach am IAM policy to the EC2 that would allow it to access the S3? This way, the responsibility for controlling what the EC2 can access would be given to the EC2 configuration itself. I think this would be simpler. Please let me know if this is possible, to your knowledge.

            Show
            ann.loraine Ann Loraine added a comment - A new question for Chirag Chandrahas Shetty : To ensure that code running on a given host EC2, can we attach am IAM policy to the EC2 that would allow it to access the S3? This way, the responsibility for controlling what the EC2 can access would be given to the EC2 configuration itself. I think this would be simpler. Please let me know if this is possible, to your knowledge.
            Hide
            ann.loraine Ann Loraine added a comment -

            FYI: I applied the above policy to the S3 bucket "krizek-lab" which is hosting some data in the ChIP-Seq quickload site.

            Show
            ann.loraine Ann Loraine added a comment - FYI: I applied the above policy to the S3 bucket "krizek-lab" which is hosting some data in the ChIP-Seq quickload site.
            Hide
            chirag24 Chirag Chandrahas Shetty (Inactive) added a comment - - edited

            [~aloraine] Yes, it should work with the IAM policy and attaching an IAM policy would be much simpler.
            Just add the following policy to the S3 bucket so that IBG can access the S3 bucket and attach AmazonS3ReadOnlyAccess policy to the ec2 instance.

            {
                "Version": "2008-10-17",
                "Statement": [
                    {
                        "Effect": "Allow",
                        "Principal": "*",
                        "Action": "s3:GetObject",
                        "Resource": "arn:aws:s3:::loraine-lab/*",
                        "Condition": {
                            "StringLike": {
                                "aws:UserAgent": "*IGB*"
                            }
                        }
                    }
                ]
            }
            
            Show
            chirag24 Chirag Chandrahas Shetty (Inactive) added a comment - - edited [~aloraine] Yes, it should work with the IAM policy and attaching an IAM policy would be much simpler. Just add the following policy to the S3 bucket so that IBG can access the S3 bucket and attach AmazonS3ReadOnlyAccess policy to the ec2 instance. { "Version" : "2008-10-17" , "Statement" : [ { "Effect" : "Allow" , "Principal" : "*" , "Action" : "s3:GetObject" , "Resource" : "arn:aws:s3:::loraine-lab/*" , "Condition" : { "StringLike" : { "aws:UserAgent" : "*IGB*" } } } ] }
            Hide
            chirag24 Chirag Chandrahas Shetty (Inactive) added a comment - - edited

            Hi [~aloraine], should I close this ticket ?

            Show
            chirag24 Chirag Chandrahas Shetty (Inactive) added a comment - - edited Hi [~aloraine] , should I close this ticket ?
            Hide
            ann.loraine Ann Loraine added a comment -

            Yes, please close it. Thank you - it's working great!

            Show
            ann.loraine Ann Loraine added a comment - Yes, please close it. Thank you - it's working great!

              People

              • Assignee:
                chirag24 Chirag Chandrahas Shetty (Inactive)
                Reporter:
                ann.loraine Ann Loraine
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: