4

I have a website where users need to log in. They can upload and delete their own pictures BUT these pictures are supposed to be private so images are not set to public that anyone can view.

I know that we can use IAM policies to restrict access to different folders in a S3 bucket to different IAM users. However the website users are just normal registered users recorded in the database (probably MySQL), they are not IAM Users.

What would be the logic to set this up without needing an IAM user for each website user? Are there any good examples that you can suggest? Or I am thinking too much that there's easier way to set this kind of restrictions?

Thanks in advance for any suggestions.

I-P-X
  • 263
  • 1
  • 10
Dora
  • 341
  • 1
  • 5
  • 15
  • I think you'll need to control this at the application level. Perhaps a private S3 bucket, create a folder for each user based on their website username, proxy image creation and storage via your servers. I can't think of a way to do this if you want them to upload directly to or download directly from S3 without using IAM users. – Tim Nov 16 '18 at 22:27

2 Answers2

5

You certainly will not need a an IAM User for each website user, that's not manageable.

The recommended way is to use AWS Cognito for user authentication against your User Pool (i.e. your list of users in your database). Cognito will handle the login, logout, password reset, etc on your behalf and once the user is authenticated it will be issued a set of temporary AWS credentials that will give it access to the defined resources, in your case to certain folders in S3 bucket.

The details are well described in Allow Cognito Users Access to Objects in Their S3 Bucket - that's probably exactly what you need.

As a bonus when using Cognito it's very easy to enable login with social media accounts - Facebook, Google, etc logins. See Adding Social Identity Providers to a User Pool.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
3

Another option is to get away without IAM roles and credentials altogether and use S3 Pre-signed URLs. With pre-signed URLs you can create a secure, time-limited image links that will enable unauthenticated access to otherwise private objects in S3. In other words:

  • Your S3 objects are all private, no one else than the webserver has access to them.
  • When the user logs in you generate pre-signed URLs for his images. These URLs will give the user temporary access to his content (e.g. with 1 hour validity).
  • When the link expires (after e.g. 1 hour) it no longer provides access to the user's image.

This way you can get away without any IAM users or IAM roles for the website users.

Here is a simple demo on how to implement it: S3 Pre-signed URL demo

You can also use pre-signed URLs for image uploads, but that's a bit more involved. It may be easier to upload the images to your server using the standard upload methods and the server uploads them to S3.

This is a more limited approach than using Cognito, but it may be easier to implement.

Hope that helps :)

MLu
  • 24,849
  • 5
  • 59
  • 86
  • Really thanks for the suggestion, I never done it but I heard about the pre-signed when I was watching videos about s3. So the link can be generated to each user when they login and if expired it can be regenerated? I am not thinking of cognito because authentication part will not be using cognito – Dora Nov 23 '18 at 22:54
  • @Dora sure you can regenerate the link as often as you want. You can make the links with e.g. 1 hour validity and also create new ones every 15 minutes or so. There can be an overlap - the old ones will still be valid even if you create a new one. Give it a try with the demo I linked, it will make it clearer :) – MLu Nov 23 '18 at 22:58
  • thanks thanks a lot :D I will mark it the correct answer – Dora Nov 23 '18 at 23:07