Hiding AWS secret from application

Question

I'm a Java backend engineer working on a feature that the frontend (SPA and Android) must send (large) files to S3. Since I have to manage with a lot of requests. Because of network overload reasons I'm avoiding to make a 'proxy' service where the frontend send me the file so that I can send it to S3 but I have some concern about the best way to keep my apps secure.

I looked for some solutions but I cannot find one that manages exactly what I want.

Amazon S3 upload with not showing secret key in frontend

This post has almost my answer but I don't have enough score to comment. S3 upload directly in JavaScript

I read some documentation on AWS but I still have some questions and some requisites.

• The solution may permit the client an authenticated user to send a file to s3 directly
• It may make a GET call to get some token or something like that (without sending a lot of data)
• It's to be secure (no secret key knowledge at the frontend)

Which solution may be good for me?

• The backend may generate a signing key and send it to frontend making the request to AWS (http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html)
• I can use STS to generate a temporary credential for each upload.

Do you think these approach will work? Which one do you think is better? What are the trade offs? Is there other way to deal with this problem?

Answer 1

Best thing to do here is use the Cognito service to generate anonymous credentials in the app that allow an upload to S3. For Android you can use the SDK then to do multi-part uploads from the device to S3, which will speed up the process as well.

I couldn't find an exact Android example, but this is one for iOS and the terminology should transfer the same, just with the other SDK: iOSTransferManager .

You can also call Cognito directly from javascript, if you have a web based app: Cognito in JS example Hope that helps! - Chris