Reputation: 27497
AWS S3: General practice on limiting users access to only their folders?
I'm creating an application where users will have a private photo album. I am using S3 for storing these photos.
All the photos will live under the same bucket, but in different subfolders that will be named something like {userId}/pics
My question is: Is it normal / accepted to just open up read access of this bucket to the public using the bucket policy? Or should I be limiting access to the folders so that only the user with userId can read from it so random people can't just guess the URL and view the pictures (unlikely, but possible)?
Upvotes: 0
Views: 25
Answers (1)
Reputation: 269101
Users of your application will need to authenticate with application credentials (eg from Amazon Cognito or your own database), not IAM credentials. Never provide IAM credentials to anybody outside of your organization, or perhaps close working partners. Therefore, you will not be able to create a policy that lets specific users access a folder.
Security through obscurity is never a good idea. You might think that using a random URL makes things secure, but if the URL gets out "in the wild", anyone on the Internet can access it. Plus, it is still guessable.
Also, your security model does not fit a situation where users might want to share photos with other users, or provide non-users with access to a specific photo (like sharing a link from Dropbox).
The better security model would be:
- All photos are kept private
- Users authenticate to the application
- When a user requests access to a photo, the application confirms that they are authorized to access the photo and then generates a Pre-signed URL to the photo
Pre-Signed URLs are time-limited URLs that grant access to an object for a defined duration. Once the expiry period passes, the URL will no longer provide access.
For example, when a user wishes to view their private photos, the application can generate <img /> tags with a pre-signed URL. The user will see their images as normal, but nobody else will be able to access the photos. Even if somebody gets hold of the URL, it will no longer work after the expiry period.
See: Share an Object with Others - Amazon S3
Upvotes: 1
Related Questions
- AWS S3 – allow user to only access his files
- S3 Bucket Policy to Allow access to specific users and restrict all
- AWS S3 Access Policy - Restricting Folder Access
- AWS S3 folder permission for users
- Amazon S3 Folder Level Permissions
- AWS S3 & IAM - Define policy where user have only access (read) to certain folders
- AWS S3 Policy to Restrict User to List Only Certain Folders in a Bucket
- Preventing a user from even knowing about other users (folders) on AWS S3
- How to restrict folders to user
- Best Practices in Protecting Amazon S3 Files?