2

My Problem

I have a public S3 bucket which serves as a storage solution for large files (GBs) that I send to colleagues and clients. The files are auto-deleted after a few weeks.

The problem with this setting is that I may suffer significant charges if someone launches a DDOS and mass-downloads one of my links. I can end up paying huge egress network fees, and I want to avoid it.

One solution could be triggering a Lambda function whenever someone downloads an object, and increment a DynamoDB counter for the object. If the counter passes a reasonable threshold (say, 50 downloads), the Lambda function would make the file private to avoid further fees.

My Question

How can I configure a Lambda function to be triggered when someone requests a file from a specific S3 bucket?

MLu
  • 24,849
  • 5
  • 59
  • 86
Adam Matan
  • 13,194
  • 19
  • 55
  • 75

2 Answers2

3

Rather then having them public for anyone to download I would make them private and only distribute pre-signed URLs to your colleagues and clients.

You can create a simple portal where your clients login and get a pre-signed link to the S3 object that expires e.g. in an hour. If they need to download it again they can get a fresh link any time. This will give you complete control and auditability of who can download your S3 objects without risking massive egress fees.

Check this out: https://aws.nz/best-practice/s3-presigned-url/

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • Nice. I don't want to start a server, but rather looking for a serverless solution. In addition, presigned URLs do't stop DDOS if someone gets the URL. Will look into it. – Adam Matan Apr 19 '20 at 04:59
  • @AdamMatan 1) nothing prevents you from creating a serverless signing service (Lambda, API GW, S3 for frontend), 2) create the signature at the moment when the user clicks the download link and make it valid for a few moments only, 3) what kind of data are you sharing and with who? Are you really expecting them to harm you? If you create individual links for each user you’ll know who evdntually DDoS’es you and can ban him. – MLu Apr 19 '20 at 05:09
1

As @MLu mentioned, you can use pre-signed URLs. You can also do something like this:

  1. Use a project like this one to create a quick site (running on S3) that allows users to sign-up and sign-in
  2. Then call a Lambda function with a JWT token from the sign-in. The Lambda function will authZ the user and generate a pre-signed url to the S3 object. A good example can be found here.
  3. The user can use the pre-signed url to download the object.
Vladimir
  • 126
  • 2