Home > Blockchain >  AWS S3 – allow user to only access his files
AWS S3 – allow user to only access his files

Time:12-28

I would like to add an image upload possibility for my users. So far I've followed a simple YouTube tutorial and created a new bucket with the following Bucket policy:

{
    "Version": "2012-10-17",
    "Id": "Policy1578265217545",
    "Statement": [
        {
            "Sid": "statement-1",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/images/*"
        }
    ]
}

And the following CORS policy:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE",
            "HEAD"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": []
    }
]

I've also created an IAM user, and attached the following policy to it:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Action": [
                "s3:Put*",
                "s3:Get*",
                "s3:Delete*"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}

I got my access and secret keys that I successfully used to upload/delete files – success.

I have a strong feeling, the above policies are not really secure at this moment (e.g. I'm planning to make the CORS policy more strict, by only allowing the bucket to be accessed from a certain domain).

My main question now is – How can I make sure that if user A uploads his image, no other user (until allowed) can access it?

CodePudding user response:

I think this would be possible if each user of the application has an IAM user account in AWS. Then you could have restrict the images using the corresponding AWS IAM user. But I believe this is probably not the case.

Something better would be, instead of accessing the images directly on AWS, access the images via your application. You could have a table storing the image path in the bucket on AWS, the corresponding owner(s) and also a flag indicating if the image can be accessed publicly or not.

Then when you need a specific image, you would make a request to your application, which would check if the user making the request is the owner of the image, if yes, the application would download the image from AWS using the AWS S3 SDK and send it over to the user.

This approach will decouple AWS from your end users and your app will be responsible for managing who can access what. Given every request to AWS will pass through your app, there is less risk on compromising the AWS infrastructure in place.

CodePudding user response:

Object tagging and attribute-based access control could be used for conditional access to different objects. https://docs.aws.amazon.com/AmazonS3/latest/userguide/tagging-and-policies.html

  • Related