Amazon S3 download authentication

Question

I have created a bucket in Amazon S3 and have uploaded 2 files in it and made them public. I have the links through which I can access them from anywhere on the Internet. I now want to put some restriction on who can download the files. Can someone please help me with that. I did try the documentation, but got confused.

I want that at the time of download using the public link it should ask for some credentials or something to authenticate the user at that time. Is this possible?

Answer 1

By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:

• Access Control List permissions on individual objects
• A Bucket Policy
• IAM Users and Groups
• A Pre-Signed URL

As long as at least one of these methods is granting access, your users will be able to access the objects from Amazon S3.

1. Access Control List on individual objects

The Make Public option in the Amazon S3 management console will grant Open/Download permissions to all Internet users. This can be used to grant public access to specific objects.

2. Bucket Policy

A Bucket Policy can be used to grant access to a whole bucket or a portion of a bucket. It can also be used to specify limits to access. For example, a policy could make a specific directory within a bucket public to users from a specific range of IP addresses, during particular times of the day, and only when accessing the bucket via SSL.

A bucket policy is a good way to grant public access to many objects (eg a particular directory) within having to specify permissions on each individual object. It is commonly used for static websites served out of an S3 bucket.

3. IAM Users and Groups

This is similar to defining a Bucket Policy, but permissions are assigned to specific Users or Groups of users. Thus, only those users have permission to access the objects. Users must authenticate themselves when accessing the objects, so this is most commonly used when accessing objects via the AWS API, such as using the aws s3 commands from the AWS Command-Line Interface (CLI).

Rather than being prompted to authenticate, users must provide the authentication when making the API call. A simple way of doing this is to store user credentials in a local configuration file, which the CLI will automatically use when calling the S3 API.

4. Pre-Signed URL

A Pre-Signed URL can be used to grant access to S3 objects as a way of "overriding" access controls. A normally private object can be accessed via a URL by appending an expiry time and signature. This is a great way to serve private content without requiring a web server.

Typically, a Pre-Signed URL is constructed by an application when it wishes to grant access to an object. For example, let's say you have a photo-sharing website and a user has authenticated to your website. You now wish to display their pictures in a web page. The pictures are normally private, but your application can generate Pre-Signed URLs that grant them temporary access to the pictures. The Pre-Signed URL will expire after a particular date/time.