How to set visibility (read) permissions on S3 uploads

Question

Using Amazon's S3 storage, is it possible to set an image to only be viewable to specific users of an application?

I've looked at the policy generator, but I can't seem to find what I'm looking for.

Some of the information on this documentation page sounds relevant. Could I achieve this with signed URLs or IAM users? Ideally, the users of the app do not have to create an AWS account.

Answer 1

By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:

• Access Control List (ACL) permissions on individual objects
• A Bucket Policy
• IAM Users and Groups
• Pre-Signed URLs

Given that you wish to grant access to application users, the recommended method is a Pre-Signed URL.

A Pre-Signed URL can be used to grant access to S3 objects as a way of "overriding" access controls. A normally private object can be accessed via a URL by appending an expiry time and signature. This is a great way to serve private content to users without having to define every user within IAM. (It is recommended to only use IAM for staff, not application users.)

A pre-signed URL can be generated from a few lines of code. A quick way to experiment is to use the AWS Command-Line Interface (CLI), which has a aws s3 presign command.

See: AWS CLI aws s3 presign documentation

There are equivalent commands for all AWS SDKs in various programming languages.