How to Secure Your Data With Serverless Access Points

As our application scales and many services are accessing a multitude of data points for each workload needed, it is difficult to ensure each part of the system has the right set of data access permissions.

In today’s world, one of the worse nightmares of a software business is data leaking and data privacy issues. Not only it affects the brand reputation, but could also expose the company to heavy fines and other regulatory sanctions.

Thankfully, AWS has just announced at re:Invent a new feature to help in solving this problem: S3 Access Points.

An Access Point is a network hostname tied to a particular S3 Bucket. This hostname carries permissions indicating which operations requesters are allowed to perform and to which objects within the bucket.

Access Points allows to customize permissions based on object tags and prefixes, making it flexible enough to cover our use cases. Through an Access Point, requesters can only perform object-related operations, not any other S3-related operation.

This feature makes it much easier to control application data access permissions in comparison to a single bucket policy, especially for systems that have complex permission rules and policies. All requests to Access Points are logged and traced in CloudWatch and CloudTrail, which provides auditing capacity.

Each Access Point has a unique ARN, which can be used to request operations on objects.

In the AWS CLI, for example, this is how we get a report.pdf document object using an Access Point:

aws s3api get-object --key report.pdf --bucket arn:aws:s3:us-east-1:123456789:accesspoint/documents downloaded-report.png

When using an AWS SDK, we should provide the Access Point ARN in the place of the bucket name.

To create an Access Point, use the AWS CLI like this:

aws s3control create-access-point --name my-access-point --account-id 1234567890 --bucket documents

It is possible to attach IAM policies to Access Points for fine-grained permission control.

To grant access for a particular user to get and put objects in a bucket:

{
    "Version":"2008-10-17",
    "Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789:user/UserName"
        },
        "Action": ["s3:GetObject", "s3:PutObject"],
        "Resource": "arn:aws:s3:us-east-1:123456789:accesspoint/my-access-point/object/UserName/*"
    }]
}

As we mentioned above, it is also possible to set permissions based on tags:

{
    "Version":"2008-10-17",
    "Statement": [
    {
        "Effect":"Allow",
        "Principal" : {
            "AWS": "arn:aws:iam::123456789:user/JohnDoe"
        },
        "Action":["s3:GetObject"],
        "Resource" : "arn:aws:s3:us-east-1:123456789:accesspoint/my-access-point/object/*",
        "Condition" : {
            "StringEquals": {
                "s3:ExistingObjectTag/data": "emergency-room"
            }
        }
    }]
}

Consider an application that serves medical information. There are several departments: Emergency Room, Intense Care Unit, Medical Imaging, etc.

In the example above, we granted John Doe with access only to objects tagged with “emergency-room”. This way we can protect patient’s data whose John Doe shouldn’t be interested in.

Access Points are a powerful way to control and distribute data access patterns through custom hostnames across your applications. Go ahead and read the full AWS documentation for more info about it.

Read our blog

ANNOUNCEMENT: new pricing and the end of free tier

Today we are announcing a new, updated pricing model and the end of free tier for Dashbird.

4 Tips for AWS Lambda Performance Optimization

In this article, we’re covering 4 tips for AWS Lambda optimization for production. Covering error handling, memory provisioning, monitoring, performance, and more.

AWS Lambda Free Tier: Where Are The Limits?

In this article we’ll go through the ins and outs of AWS Lambda pricing model, how it works, what additional charges you might be looking at and what’s in the fine print.

Made by developers for developers

Dashbird was born out of our own need for an enhanced serverless debugging and monitoring tool, and we take pride in being developers.

What our customers say

Dashbird gives us a simple and easy to use tool to have peace of mind and know that all of our Serverless functions are running correctly. We are instantly aware now if there’s a problem. We love the fact that we have enough information in the Slack notification itself to take appropriate action immediately and know exactly where the issue occurred.

Thanks to Dashbird the time to discover the occurrence of an issue reduced from 2-4 hours to a matter of seconds or minutes. It also means that hundreds of dollars are saved every month.

Great onboarding: it takes just a couple of minutes to connect an AWS account to an organization in Dashbird. The UI is clean and gives a good overview of what is happening with the Lambdas and API Gateways in the account.

I mean, it is just extremely time-saving. It’s so efficient! I don’t think it’s an exaggeration or dramatic to say that Dashbird has been a lifesaver for us.

Dashbird provides an easier interface to monitor and debug problems with our Lambdas. Relevant logs are simple to find and view. Dashbird’s support has been good, and they take product suggestions with grace.

Great UI. Easy to navigate through CloudWatch logs. Simple setup.

Dashbird helped us refine the size of our Lambdas, resulting in significantly reduced costs. We have Dashbird alert us in seconds via email when any of our functions behaves abnormally. Their app immediately makes the cause and severity of errors obvious.