AWS S3 Per Bucket Permission for non-AWS accounts

Question

This question is in the same line of thought than Is it possible to give token access to link to amazon s3 storage?.

Basically, we are building an app where groups of users can save pictures, that should be visible only to their own group. We are thinking of using either a folder per user group, or it could even be an independent S3 bucket per user group.

The rules are very simple:

• Any member of Group A should be able to add a picture to the Group A folder (or bucket)
• Any member of Group A should be able to read all pictures of the Group A folder (or bucket)
• No member of Group A should not have access to any of the pictures

However, the solution used by the post mentioned above (temporary pre-signed URLs) is not usable, as we need the client to be able to write files on his bucket as well as read the files on his bucket, without having any access to any other bucket. The file write part is the difficulty here and the reason why we cannot use pre-signed URLs.

Additionally, the solution from various AWS security posts that we read (for example https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/) do not apply because they show how to control accesses for IAM groups of for other AWS accounts. In our case, a group of users does not have an IAM account...

The only solutions that we see so far are either insecure or wasteful

• Open buckets to everybody and rely on obfuscating the folder / bucket names (lots of security issues, including the ability to brute force and read / overwrite anybody's files)
• Have a back-end that acts as a facade between the app and S3, validating the accesses. S3 has no public access, the bucket is only opened to an IAM role that the back-end has. However this is a big waste of bandwidth, since all the data would transit on the EC2 instance(s) of that back-end

Any better solution? Is this kind of customized access doable with S3?

Answer 1

The correct way to achieve your goal is to use Amazon S3 pre-signed URLs, which are time-limited URLs that provides temporary access to a private object.

You can also Upload objects using presigned URLs - Amazon Simple Storage Service.

The flow is basically:

• Users authenticate to your back-end app
• When a user wants to access a private object, the back-end verifies that they are permitted to access the object (using your own business logic, such as the Groups you mention). If they are allowed to access the object, the back-end generates a pre-signed URL.
• The pre-signed URL is returned to the user's browser, such as putting it in a <img src="..."> tag.
• When the user's browser requests the object, S3 verifies the signature in the pre-signed URL. If it is valid and the time period has not expired, S3 provides the requested object. (Otherwise, it returns Access Denied.)

A similar process is used when users upload objects:

• Users authenticate to your back-end app
• They request the opportunity to upload a file
• Your back-end app generates an S3 Pre-signed URL that is included in the HTML page for upload
• Your back-end should track the object in a database so it knows who performed the upload and keeps track of who is permitted to access the object (eg particular users or groups)

Your back-end app is fully responsible for deciding whether particular users can upload/download objects. It then hands-off the actual upload/download process to S3 via the pre-signed URLs. This reduces load on your server because all uploads/downloads go direct to/from S3.