S3 and imgix best practice

Learn about creating separate users and policies for access to your S3 content.

To connect your S3 bucket to imgix or CloudCannon, you must create an S3 policy and user.

  • IAM Policy — Determines what actions are allowed for content in your S3 bucket.
  • IAM User — Has an Access Key ID, Secret Access Key, and Policy. Any software with this user’s keys can perform the actions permitted in the user’s policies.

CloudCannon, imgix, and AWS strongly recommend creating separate users for different tasks. This follows the principle of least privilege.

In this guide, you will create two users: one from CloudCannon to S3 and one from S3 to imgix. We recommend naming these users some variant of “CloudCannon-to-S3” and “S3-to-imgix”. As CloudCannon and imgix require different permissions, we recommend creating separate policies. This ensures that CloudCannon can upload to your S3 DAM and preview your assets, while imgix only has the permissions required to serve your assets.

It is not necessary to create two users; one user will work. If you only want to create one user and one policy:

  • In Step Four of this guide, create the first policy, "CloudCannon Access Policy." You can rename this policy.
  • In Step Five of this guide, create one user and assign your single policy. You can rename this user.
  • In Steps Six and Seven of this guide, use your single user's Access Key ID and Secret Access Key to give imgix and CloudCannon the same access to your S3 content.
Previous
Edit your CORS permissions
Learn how to edit your Cross-origin resource sharing settings to allow CloudCannon to interact with your S3 bucket.
Next
Create IAM policies
Learn how to edit your Identity and Access Management policies to allow CloudCannon and imgix to interact with your S3 bucket.

Open in a new tab