Amazon Bucket Policy for only mobile app access

Question

I have a bucket in Amazon S3 and I set data inside read only for everyone. However, this is not what I want. I would like that data to be accessible only from my mobile application and restrict it to download by url.

Is that possible? if so how to implement such bucket policy?

score 16 · Accepted Answer · answered Aug 08 '17 at 12:43

Traditionally, access to a mobile app is done this way:

The mobile app user authenticates to your back-end (through your mobile app). This could be done with Amazon Cognito or with your own database of username/password.
Your application examines their identity and determines what data they are permitted to access. It then uses the AWS Security Token Service (STS) to generate time-limited credentials that have limited permissions (eg access to a particular directory within an S3 bucket). The back-end app sends these credentials to the mobile app.
The mobile app can then use the credentials to make API calls to AWS (without having to go through your back-end server).

If you wish any user on your mobile app to access the S3 bucket, then the user doesn't need to authenticate in the first step -- it would just be your mobile app requested some temporary credentials.

None of the above requires a Bucket Policy. The permissions would be granted against the STS credentials, not he bucket.

Regarding the second part: granting any user on your mobile app to access the S3 bucket, could you explain it in more detail about how to request some temporary credentials, or add a link to some instructions? Thanks! — CodeBrew, Feb 16 '20 at 16:35
@CodeBrew The link in the answer to AWS Security Token Service can provide the details. — John Rotenstein, Feb 16 '20 at 23:13

score 4 · Answer 2 · answered Aug 08 '17 at 12:10

There is no direct way to set the client specific policies in S3 buckets but your use case can be achieved in other ways.

Way 1 - Set a http request referer in your mobile apps and create policies on S3 that match with this refrer.

Way 2 - Redirect all your request via a server that matches client type and adds few conditions in request. These conditions can be handled at S3 policies.

Way 3 - Redirect all your app request via a server whose ip is whitelisted on S3 bucket. Though here you have to use some proxy server or loadbalancer.

Here is official S3 doc for policies and conditions for access - http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

Hope this helps!

Amazon Bucket Policy for only mobile app access

2 Answers2

Linked