Praveen
Praveen

Reputation: 69

encrypt object in aws s3 bucket

I am saving some images/objects in aws s3 bucket from my application. First i am getting signed url from nodejs service api and uploading images or files to singed url using jquery ajax. I can open image or object using the link provided in the properties (https://s3.amazonaws.com/bucketname/objectname).

I want to provide security for each uploaded object. Even by chance if any anonymous user gets the link (https://s3.amazonaws.com/bucketname/objectname) somewhere he should not be able to open it. They (objects) should be accessed and open only cases like when request has some headers key values etc. I tried server side encryption by specifying header key values in request as shown below.

        var file = document.getElementById('fileupload').files[0];
        $.ajax({
            url: signedurl,
            type: "PUT",
            data: file,
            header:{'x-amz-server-side-encryption':'AES256'},               
            contentType: file.type,
            processData: false,
            success: function (result) {
                var res = result;

            },
            error: function (error) {
                alert(error);
            }

Doesn't sever side encryption keep encrypted object on s3 bucket storage? Does it only encrypts while transferring and decrypts before saving on s3 storage?

If it stores encrypted object on s3 storage then how can i open it using the link shown in properties.

Upvotes: 0

Views: 1897

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 270224

Server-Side Encryption (SSE) in Amazon S3 encrypts objects at rest (stored on disk) but decrypts objects when they are retrieved. Therefore, it is a transparent form of encryption.

If you wish to keep objects in Amazon S3 private, but make them available to specific authorized users, I would recommend using Pre-Signed URLs.

This works by having your application generate a URL that provides time-limited access to a specific object in Amazon S3. The objects are otherwise kept private so they are not accessible.

See documentation: Share an Object with Others

Upvotes: 2

Related Questions