Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

deny direct access to file on S3

I am building a django/s3 application with the following behaviour:

  1. User logs in
  2. User uploads a document -> document goes to S3 (eventually with a UID name and an alias in the DB?)
  3. User can download the document

I'm looking for a way to deny the other users (or, even worse, not logged) to query and get access to the files. One solution I could find is:

  • for every file, the page has links to a processing script
  • when the link is clicked, the view processes it (checks user is authenticated, determines the right file in S3) and redirects to it

Is this enough? Are there more elegant solutions to this?

like image 420
Laur Ivan Avatar asked Oct 28 '11 00:10

Laur Ivan


People also ask

How can I prevent users from accessing my files from S3?

Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there. After you take these steps, users can only access your files through CloudFront, not directly from the S3 bucket.

Can users access my files directly from the S3 bucket?

After you take these steps, users can only access your files through CloudFront, not directly from the S3 bucket. In general, if you’re using an Amazon S3 bucket as the origin for a CloudFront distribution, you can either allow everyone to have access to the files there, or you can restrict access.

How do I change the permissions of my Amazon S3 files?

Change the permissions either on your Amazon S3 bucket or on the files in your bucket so that only the origin access identity has read permission (or read and download permission). When your users access your Amazon S3 files through CloudFront, the CloudFront origin access identity gets the files on behalf of your users.

How do I restrict access to content that I serve from Amazon S3?

To restrict access to content that you serve from Amazon S3 buckets, follow these steps: Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution. Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users.


1 Answers

Don't make your files public. This will prevent non-authorised users from accessing the files.

Then in your Django app, you can generate urls with a querystring that allows an authorised user to access an S3 file for a limited time.

The amazon docs for querystring request authentication have more information.

like image 181
Alasdair Avatar answered Oct 16 '22 14:10

Alasdair