Reputation: 126357
Amazon S3 Privacy & Security
We are storing files uploaded by users of our app to Amazon S3.
In order to keep these files private & secure, we are:
having the client generate a UUID for the filename (so that the URL of the file is difficult to guess). See: What is the probability of guessing (matching) a Guid?
Do these two measures provide sufficient security, or should we also use Amazon Cognito to ensure that the user getting the object is one of the users who has access to it?
Upvotes: 2
Views: 355
Answers (1)
Reputation: 269400
Using obscure filenames is not a good security method.
If you wish to allow users to upload/download data to/from Amazon S3 in a secure manner, you should use Pre-Signed URLs.
The process is:
- Users authenticate to your web/mobile application
- Users interact with your application and indicate they wish to upload/download a file
- Your application generates a pre-signed URL that includes an authorization to access Amazon S3, with restrictions such as bucket, path and file size
- Users upload/download the file using the pre-signed URL
This way, your application controls the security and there is no potential for accidental workaround, overwriting, access, etc.
See: Uploading Objects Using Pre-Signed URLs
Upvotes: 1
Related Questions
- How to restrict the public access
- Amazon S3 folder permissions
- Can someone explain S3 bucket privacy settings?
- amazon s3 for downloads how to handle security
- Protect Private Data in Amazon S3
- Shared content from S3 or elsewhere
- Private and Public Data in S3 Bucket
- How to define permissions in Amazon s3
- privacy on Amazon S3
- Amazon S3 secure bucket