Hosting static images in AWS S3

Question

I am integrating the ability for users of my web app to be able to upload images to my site. I want to store these images in an AWS S3 bucket, but I need to be careful with privacy and making sure only people that should have access to these files can see them.

Users should have access to these files via <img src="s3_link"> but should not be able to access the bucket directly or list the objects within.

I can accomplish this by making the bucket public but this seems dangerous.

How do I set up a proper bucket policy to allow these images to be loaded onto a webpage in an <img> tag?

Answer 1

S3 supports pre-signed URLs. They can be used to restrict access to specific user.

See: Share an Object with Others

Answer 2

You might be able to use something like https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-4 (Restricting Access to a Specific HTTP Referrer).

It's going to be difficult to ensure complete control since S3 is a basic CND without the ability to create/grant permissions on the fly, coupled with the fact that you want your <img /> tags to grab the content directly from S3.

If you are trying to restrict downloads, you'll need to setup some basic logic to grant your users some type of access token that they will provide when requesting content to download (will require a lambda script/DB or a service that can pull the images down and then serve them if the caller is authenticated).

It sounds like you'll need authenticated users to request access to content via an API, passing in an Authorization token which the API will then verify if they have access to pull down the requested content.