Temporary Credentials using AWS IAM

Question

I have a server, which should provide temporary AWS credentials to the client. The credentials will be transmitted using HTTPS.

The client should be able to upload S3 files, as well as download them. The concern I have is the following:

I have multiple users accessing ONLY their own directory: /Users/someUser/myfile.png

You can set policies to allow or deny S3 in general, but you can't grant only the access to a specific path.

What should I do about this? Will the HTTPS transmission be enough?

Then my second question. If I hear "temporary credentials", I have a key in mind, that is valid for a couple of hours and then expires. But I'm not sure if IAM is really built for that. Should I provide the same credentials for all users? Or do I generate a key-pair for each client?

The server runs with PHP, the client with Objective-C.

Answer 1

You can specify permissions on a path in Amazon S3. For more details see the following:

Using IAM Policies

Also, if you want to create "temporary credentials" you can use the AWS Security Token Service. This service allows you to create credentials that last from 1 - 36 hours and you can put a policy on those credentials to limit their access. For more details about the service see:

Security Token Service API Reference

Finally, there is an article written for the AWS Mobile SDKs that does something similar. It has a server to issue temporary credentials to users that use an Amazon S3 bucket. It limits the users to a "sub-folder" of the bucket and also limits their actions. You can read and this sample here:

Credential Management for Mobile Applications

Hope this helps you get to the information you need.