CODEWITHSUNDEEP
mobileamazon-web-servicesamazon-s3
forcewill
forcewill

Reputation: 1647

Amazon S3 Permissions

I'm using temporary sessions in Amazon S3 with GetSessionToken/GetFederationToken, I am planing on having more than 10K users each one can upload to S3 so initialy I thought of use a bucket for each user and set write (upload) permissions per bucket for each user, but since there is a limitation on the number of buckets per Amazon account I have forsaken that idea.

How can I set a permission like allow public read, and upload only if the prefix on the key of the object that the user wants to upload ?

For example if username X uploads a file the key must be like X_filename.

Or any other way which allows me to have security, this is for a mobile app and I would not like to go through our own servers when uploading a file.

Edit:

I've tried the operation GetFederationToken with the following policy

"{
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
      "s3:DeleteObject",\"s3:DeleteObjectVersion"],
      "Resource":"arn:aws:s3:::user.uploads/john/*"
   }
   ]
}"

I have the bucket user.uploads on S3 and folder john

however any upload with the session credentials to bucket user.uploads with key john/filename fails with access denied"

Upvotes: 4

Views: 4497

Answers (1)

Geoff Appleford
Geoff Appleford

Reputation: 18832

Amazon's Identity and Access Management (IAM) service is what you need. The documentation has numerous examples, some of which match your scenario.

From the docs:

Example 5: Allow a partner to drop files into a specific portion of the corporate bucket

In this example, we create a group called WidgetCo that represents the partner company, then create a user for the specific person (or application) at the partner company who needs access, and then put the user in the group.

We then attach a policy that gives the group PutObject access to the following directory in the corporate bucket: my_corporate_bucket/uploads/widgetco.

We also want to prevent the WidgetCo group from doing anything else with the bucket, so we add a statement that denies permission to any Amazon S3 actions except PutObject on any Amazon S3 resource in the AWS account. This is only necessary if there's a broad policy in use elsewhere in your AWS account that gives users wide access to Amazon S3.

{
    "Statement":[{
        "Effect":"Allow",
        "Action":"s3:PutObject",
        "Resource":"arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"
    },
    {
        "Effect":"Deny",
        "NotAction":"s3:PutObject",
        "Resource":["arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"]
    },
    {
        "Effect":"Deny",
        "Action":"s3:*",
        "NotResource": ”arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"
    }]
}

You would create a new identity for each user and use that to control access to the subfolders (prefixes) as needed.

Upvotes: 5

Related Questions