Reputation: 71
How to enable presigned S3 URL for different users?
I am trying to build a service where users are able to upload photos to an S3 database using presigned URLs given to them via API gateway. For each user, I was planning on submitting the photo information through the presigned URL and identifying the user who sent it as metadata via the ID found in the access token granted by AWS Cognito.
However, I am not sure how to secure it so that users can only upload photos as themselves and not as others. It seems to me that malicious users can simply modify the frontend code to change the user ID and submit photos as someone else.
I'm wondering if it is possible to create a presigned URL with some sort of ID so that they can only submit content as themselves? Or is there a better way?
Upvotes: 3
Views: 2126
Answers (1)
Reputation: 11608
How about this solution:- There is one question that is not mentioned, how do you plan to differentiate legit users and non-legit users, or is it open to everyone?
- Use Amazon Cognito to authenticate users.
- users will try to query for URL (upload s3 through an interface), API gateway will verify authentication.
- if authentication is successful; then only lambda will generate an s3 resigned URL.
This solution is a little costly however it serves you the purpose of making it secure, where if the user is authenticated then only lambda will generate a signed URL.
You should not worry about the identity of the user, or someone sending a false identity, because a sub claim will be present as part of the token, if someone tries to change that, the cognito will not verify it.
- A heads up:- if you are trying to make this service global, then you can implement a backend database like dynamodb, and add a manual/automatic step to add a attribute to identity users who are privileged and add logic to lambda to find users who is privileged and then generate resigned URL exclusively for that privileged user
.https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html, https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
Upvotes: 2
Related Questions
- is there a way to limit access to s3 presigned url
- Restrict S3 Object Access to Specific Cognito Users
- Provide individual access permissions through Amazon Cognito
- S3 Access for only Cognito Authenticated User
- AWS S3 bucket policy to allow access to Cognito users
- Give read/read access to aws S3 to cognito users
- How can I allow cognito users to access their own S3 folders
- Allow access to custom prefix on S3 with Cognito
- AWS Which IAM Role For S3 Presigned URL
- Access control on S3 objects for a group of cognito identities