Securing S3 via your own application

Question

Imagine the following use case:

You have a basecamp style application hosting files with S3. Accounts all have their own files, but stored on S3.

How, therefore, would a developer go about securing files so users of account 1, couldn't somehow get to files of account 2?

We're talking Rails if that's a help.

Answer 1

S3 supports signed time expiring URLs that mean you can furnish a user with a URL that effectively lets only people with that link view the file, and only within a certain time period from issue.

http://www.miracletutorials.com/s3-amazon-expiring-urls/

Answer 2

I haven't tackled this exact issue. But that doesn't stop me from having an opinion :)

Check out cancan:

• http://github.com/ryanb/cancan
• http://railscasts.com/episodes/192-authorization-with-cancan

It allows custom authorization schemes, without too much hassle.

Answer 3

Serve the files using an EC2 Instance

If you set your S3 bucket to private, then start up an EC2 instance, you could serve your files on S3 via EC2, using the EC2 instance to verify permissions based on your application's rules. Because there is no charge for EC2 to transfer to/from S3 (within the same region), you don't have to double up your bandwidth consumption costs at Amazon.

Answer 4

If you want to restrict control of those remote resources you could proxy the files through your app. For something like S3 this may defeat the purpose of what you are trying to do, but it would still allow you to keep the data with amazon and restrict access.

You should be careful with an approach like this as it could cause your ruby thread to block while it is proxying the file, which could become a real problem with the application.