How to allow only a specific user to access a content on Amazon S3

Question

I am new to Amazon S3. I need some help with S3 storage solution. Here is my problem.

I have created a bucket in Amazon S3. Now everyone can access my bucket URL (e.g. https://BUCKET_NAME.s3.amazonaws.com) and they could see all the files inside the bucket. I want only my mobile apps users to be able to view/see/download the files in the bucket. But if I block the files/set the files in the bucket as private, my mobile apps users would not be able to view his/her files.

So the question:

• Is there a way to secure access to AWS S3? or How can I allow only a specific user to access a content on Amazon S3? Is it server-side authentication or something else?

If you have any idea how it can be done, can you show me an example? Thanks :)

NOTE: I am using Parse JavaScript SDK, AWS S3, AWS EC2, Elastic beanstalk and Ionic 2 with Angular 2.

If you think I have missed out any details, please let me know so I can add it :)

Answer 1

There are multiple options available to secure access for specific users.

• If you are using AWS Cognito, you can grant access to specific buckets and object in S3 using IAM policies by using AWS JavaScript SDK and temporarily access credentials you received after authenticating with AWS Cognito (Or federated through Cognito) directly from Angular app.
• You can also use AWS CloudFront Signed Urls and Signed Cookies to secure access to S3 objects. To access the content, using a backend endpoint (For authenticated users) you can generate a Signed URL or Signed Cookie which will be used by the Angular app to access S3 through CloudFront.
• Another option is to access the S3 from server side and return the files (Compared to other approaches, this will add an significant overhead at scale to your server so not recommended unless you have a specific scenario to modify the files or content dynamically before retrieval)
• You can also use AWS API Gateway as a proxy to S3 to serve files. Here 10MB file size limit applies since API Gateway can transfer files maximum up to 10MB.

Answer 2

You can S3 bucket access to specific IAM role. So create a new user and attach an IAM policy to that user. Configure your Lambda with that role. If you want you can create multiple roles depends on each user type (Example :- Role uniquely for mobile users, another role for desktop users etc.)

Please read more about how to restrict Amazon S3 Bucket access to a specific IAM Role here