Home > front end >  How to safely share files via amazon S3 bucket
How to safely share files via amazon S3 bucket

Time:07-28

I need to share ~10K files with ~10K people (one-to-one matching) and I would like to use Amazon S3 for this (by giving public access to these files).

The caveat is that I do not want anyone to be able to download all these files together. What are the right permissions for this.

Currently, my plan is:

  1. Create non-public buckets (foo)
  2. Name each file with a long string so one cannot guess the link (bar)
  3. Make all files public
  4. Share links of the form https://foo.s3.amazonaws.com/bar

It seems that by having a non-public bucket, I ensure that no one can list files in my bucket and hence won't be able to guess names of the files inside. Is it correct?

CodePudding user response:

I would approach this using pre-signed urls as this allows you to grant access on an object-level, even when your bucket and objects are kept private. This means that the only way to access an object in the bucket is by using the link you provide to each individual user.

Therefore to follow best practice, you should block all public access and make all objects private. This will prevent anyone from listing bucket objects.

To automate this, you could upload the files naming them after each user, or some other identifying string like an id number. You can then generate a presigned url giving the user a limited time to retrieve the file without granting them access to the bucket as a whole with some kind of loop.

I use bash so that's the example I'll give but there's probably a similar powershell solution for this too.

The easiest way to do this would be with the aws-cli:

aws s3 presign s3://<YOUR-BUCKET-NAME>/<userIdNumber>.file \
              --expires-in 604800

Put all of your userid's or whatever you've used to identify your user's files in a text file and loop over them with bash to generate all your presigned url's like so:

Contents of users.txt:

user1
user2
user3
user4
user5

The loop:

for i in $(cat users.txt) ;
do
  echo "$i" ;
  aws s3 presign "s3://my-bucket/$i.file" --expires-in 604800 ;
done

This should spit out a list of usernames with a url below each user. Just send the link to each user and they will be able to get their document.

  • Related