Reputation: 46940
Restricting amazon s3 access for a web application?
If a web app uploads data to an amazon s3 bucket is it possible to restrict access to the data for the specific ip address that the web app initiated the upload from and / or can the web app obtain some sort of token that it uses to access the data prior to uploading it?
For example if Hans in Holland uploads 235325.json and Tina in Germany uploads 3453453.json, the web application client that Hans is running cannot see Tinas 3453453.json file and vice versa. Access to the file upload is only accessible by the user that uploaded it and 100% off access to the rest of the world.
Upvotes: 0
Views: 314
Answers (1)
Reputation: 16519
There is no way to achieve this natively (like something you will just configure).
You are better off implementing permission control at application level.
But, you can enhance your security mechanisms by generating pre-signed URLs that includes a policy that checks for an IP condition.
In this case:
- Hans gets a S3 URL for an object that he uploaded and can legitimately download.
- Hans sends the S3 URL to Tina via email.
- Tina tries to open the link.
The link will fail for Tina since the allowed IP address included in the S3 URL won't match.
For more information, take a look at Creating a Signed URL Using a Custom Policy. (Scroll to "Creating a Policy Statement for a Signed URL That Uses a Custom Policy".)
Upvotes: 1
Related Questions
- AWS S3 how to allow acces only from specific domain?
- S3 Bucket Policy to Allow access to specific users and restrict all
- Restrict access to website hosted on S3
- How to give limited access to S3 resource to a user of an app?
- allow open access to S3 bucket with certain restrictions
- Secure access directly from web app to amazon s3?
- Restrict access to S3 based on EC2 Instance and User
- How to restrict AWS S3 access using CORS?
- Restrict S3 permissions to just website
- How to restrict Amazon S3 API access?