How private are the pictures on Amazon S3 with these settings?

Question

I have a feature on my website where users can upload images. Users can see their own images but not others. The images are stored on Amazon S3 but uploaded and viewed on my website which is at a web hosting and not S3.

I have tried to show the pictures on my website through my private key when pictures are private at Amazon but failed.

Found this post: http://blog.learningtree.com/configuring-amazon-s3-to-serve-images which describes how to make the images/files more private even if they are set to public on S3. The site suggest to stop search engines with robots.txt file and only serves images to people who are coming from my domain to stop hot-linking.

Do you think this is enough if I make them public on S3 or should I think about something else?

Answer 1

You can also configure the images on S3 to be private, and then generate pre-signed URLs in your app. That way, you can include an expiry time within the link.

From Authenticating REST Requests in the S3 docs:

For example, if you want to enable a user to download your private data directly from S3, you can insert a pre-signed URL into a web page before giving it to your user.

People can then only use the generated URL for a certain time. If they come through your app, it will always generate a link for some time in the future (say, 15 minutes as an example). If people pass around the links to these images, these links auto-expire.

Most S3 SDKs have higher-level methods to pre-sign those URLs.

Relevant: How secure are presigned URLs in AWS S3? here on SO.