Menu
I fired up a sample application that uses Amazon S3 for image hosting. I managed to coax it into working. The application is hosted at github.com. The application lets you create users with a profile photo. When you upload the photo, the web application stores it on Amazon S3 instead of your local file system. (Very important if you host at heroku.com)
However, when I did a "view source" in the browser of the page I noticed that the URL of the picture was an Amazon S3 URL in the S3 bucket that I assigned to the app. I cut & pasted the URL and was able to view the picture in the same browser, and in in another browser in which I had no open sessions to my web app or to Amazon S3.
Is there any way that I could restrict access to that URL (and image) so that it is accessible only to browsers that are logged into my applications?
Most of the information I found about Amazon ACLs only talk about access for only the owner or to groups of users authenticated with Amazon or AmazonS3, or to everybody anonymously.
EDIT----UPDATE July 7, 2010
Amazon has just announced more ways to restrict access to S3 objects and buckets. Among other ways, you can now restrict access to an S3 object by qualifying the HTTP referrer. This looks interesting...I can't wait until they update their developer documents.
871
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/ . In the Bucket name list, choose the name of the bucket that you want. Choose Permissions. Choose Edit to change the public access settings for the bucket.
Amazon S3 is the only object storage service that allows you to block public access to all of your objects at the bucket or the account level, now and in the future by using S3 Block Public Access. To ensure that public access to all your S3 buckets and objects is blocked, turn on block all public access.
By default, all S3 buckets are private and can be accessed only by users who are explicitly granted access. Restrict access to your S3 buckets or objects by doing the following: Writing IAM user policies that specify the users that can access specific buckets and objects.
For files where privacy actually matters, we handle this as follows:
http://myapp.com/download/{s3-path}, where download corresponds to a controller (in the MVC sense)Using this method, you end up using a lot more bandwidth than you need, but you still save on storage. For us this works out, because we tend to run out of storage much more quickly than bandwidth.
For files where privacy only sort of matters, we generate a random hash that we use for the URL. This is basically security through obscurity, and you have to be careful that your hash is sufficiently difficult to guess.
However, when I did a "view source" in the browser of the page I noticed that the URL of the picture was an Amazon S3 URL in the S3 bucket that I assigned to the app. I cut & pasted the URL and was able to view the picture in the same browser, and in in another browser in which I had no open sessions to my web app or to Amazon S3.
Keep in mind that this is no different than any image stored elsewhere in your document root. You may or may not need the kind of security you're looking for.
138
Amazon's Ruby SDK (https://github.com/aws/aws-sdk-ruby) has useful methods that make it a snap to get this done. "url_for" can generate a temporary readable URL for an otherwise private S3 object.
Here's how to create a readable URL that expires after 5 minutes:
object = AWS::S3.new.buckets['BUCKET'].objects['KEY']
object.url_for(:read, :expires => 300).to_s
AWS documentation: http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/S3/S3Object.html#url_for-instance_method
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
