Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

amazon s3 for downloads how to handle security

Tags:

amazon-web-services

amazon-s3

I'm building a web application and am looking into using Amazon S3 to store user uploads.

My concern is, I dont want user A to see his download link for a document he uploaded is urltoMyS3/doc1234.pdf and try urltoMyS3/doc1235.pdf and get another users document.

The only way I can think of to do this, is to only allow the web application to connect to S3, then check if the user has access to a file on the web application, have the web app download the file, and then serve it to the client. The problem with this method is the application would have to download the file first and would inevitably slow the download process down for the user.

How is user files typically handled with Amazon S3? Or is it simply not typically used in a scenario where the files should not be public? Is there another service for something like this?

Thanks

like image 995
Kyle Avatar asked Oct 18 '12 20:10

Kyle

People also ask

How can administrators securely upload/download your data to Amazon S3?

You can securely upload/download your data to Amazon S3 via SSL endpoints using the HTTPS protocol. If you need extra security you can use the Server-Side Encryption (SSE) option to encrypt data stored at rest.

How do I get permission to download a S3 bucket?

Open the IAM console. Add a policy to the IAM user that grants the permissions to upload and download from the bucket. You can use a policy that's similar to the following: Note: For the Resource value, enter the Amazon Resource Name (ARN) for the bucket with a wildcard character to indicate the objects in the bucket.

What is the best way to protect a file in Amazon S3 against accidental delete?

To prevent or mitigate future accidental deletions, consider the following features: Enable versioning to keep historical versions of an object. Enable Cross-Region Replication of objects. Enable MFA delete to require multi-factor authentication (MFA) when deleting an object version.

2 Answers

You can do this by generating the appropriate links, see the following

https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

like image 63
stilldodge Avatar answered Oct 05 '22 22:10

stilldodge

You can implement Query String Authentication, which will solve your problem.

Query string authentication is useful for giving HTTP or browser access to resources that would normally require authentication. The signature in the query string secures the request. Query string authentication requests require an expiration date. You can specify any future expiration time in epoch or UNIX time (number of seconds since January 1, 1970).

like image 31
Michal Klouda Avatar answered Oct 06 '22 00:10

Michal Klouda
Sign in to Comment

Related questions

Status on AWS S3 cross region replication delete operations behaviour
Intermittent 403 CORS Errors (Access-Control-Allow-Origin) With Cloudfront Using Signed URLs To GET S3 Objects
In what geographical region is my S3 bucket stored?
How do I allow clients to upload to Amazon S3 without giving out my keys?
AWS: How can I allow multiple domains in an S3 CORS configuration?
Can upload files but can't list S3 bucket objects. Get access denied error
AWS S3 alternatives for private cloud
Can I move an object into a 'folder' inside an S3 bucket using the s3cmd mv command?
Amazon S3 Object Replication
How to find/check current permissions in AWS S3 using cli?
Using S3 (Frankfurt) with Spark
Athena query results at specific path on S3
How to save sklearn model on s3 using joblib.dump?
Using amazon S3 to host remote Hg Repositories
Concurrency in Amazon S3
Amazon AWSClientFactory does not exists
Upload to S3 with progress in plain Ruby script
Costs of enabling versioning in Amazon S3
Is it possible to transfer ownership of objects to another user using the Amazon S3?
MongoDB backup strategy for AWS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!