Reputation: 3459
Shared content from S3 or elsewhere
If you have an app where users have data in S3 buckets but can select who they share it with, what's the best technique for protecting this data? For example, how would Instagram protect their image data if they were using S3 (or some other centralized storage provider) so you could only see pictures you were authorized to see?
Obscurity from large url strings seems like one approach, but I was curious if there was a better technique?
Upvotes: 2
Views: 229
Answers (1)
Reputation: 269410
By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:
- Access Control List that applies to individual objects
- A Bucket Policy that applies rules to the whole bucket
- IAM to apply permissions to specific Users and Groups
- A Pre-Signed URL that grants temporary access to an individual object
If you wish to "select who to share it with", there are two choices:
- If the person is defined as a User in IAM, then assign permissions against that User
- If the person is not defined in IAM (eg an Instagram user), then use a pre-signed URL
A Pre-Signed URL grants access to S3 objects as a way of "overriding" access controls. A normally private object can be accessed via a URL by appending an expiry time and signature. This is a great way to serve private content from Amazon S3.
Basically, if the application determines that the user is entitled to access an object in Amazon S3, it can generate a link that provides temporary access to the object. Anyone with that link can access the object, but it will no longer work once the time period has expired.
The pre-signed URL can be generated via the AWS SDK (available for most popular programming languages). It can also be generated via the aws s3 presign command in the AWS Command-Line Interface (CLI).
Pre-signed URLs can even be used within web pages. For example, the HTML might refer to a picture using an <img> tag, where the src is a pre-signed URL. That way, a private picture can be displayed on the page, but search engines would not be able to scrape the picture.
Upvotes: 2
Related Questions
- How to safely share files via amazon S3 bucket
- Amazon S3 folder permissions
- Is it possible to share files for selective users using Amazon S3
- amazon s3 for downloads how to handle security
- AWS S3 ACL public-read-write: security concern
- Amazon S3 Privacy & Security
- User access control on S3 hosted content
- Serving content from S3 securely
- Best Practices in Protecting Amazon S3 Files?
- Access control for static content served from S3?