Securing s3 files ,Not to display the content when link is given directly in a browser?

Question

I am using nodejs npm-multer s3 to upload my video/audio/image files to amazon s3 bucket. I am using the below policy to enable permission for viewing my files through my mobile application

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my bucket/*"
        }
    ]
}

But the problem is whenever i copy the link of my s3 files in a browser and paste it, my files are getting downloaded(or shown). how can i prevent this? i dont want my files to get downloaded or shown when the link is given in the addressbar. my files should only be shown or streamed through my mobile and web application. How can i achieve this?

Khalid T. · Answer 1 · 2017-08-23T05:58:47.913

0

You might want to consider serving your content through CloudFront in this case using either Signed URLs or Signed Cookies and use an Origin Access Identity to restrict access to your Amazon S3 content.

This way, only CloudFront can access your S3 content and only clients with valid signed URL/cookies can access your CloudFront distribution.

After you setup your Origin Access Identity in CloudFront, your bucket policy should be something like:

{
    "Version": "2012-10-17",
    "Id": "Policy1476619044274",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <Your Origin Access Identity ID>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

The format for specifying the Origin Access Identity in a Principal statement is:

"Principal":{
    "CanonicalUser":"<Your Origin Access Identity Canonical User ID>"
}

or

"Principal": {
    "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <Your Origin Access Identity ID>"
}

See: Serving Private Content through CloudFront.

edited Aug 23 '17 at 05:58

answered Aug 22 '17 at 11:14

Khalid T.

10,039
5
45
53

can you suggest an npm module to achieve this(signed url)? – Jagadeesh Aug 22 '17 at 11:33
@Jagadeesh: You can use the [aws-cloudfront-sign](https://www.npmjs.com/package/aws-cloudfront-sign) npm module. – Khalid T. Aug 22 '17 at 11:42
so my s3 bucket permission should be in private or public? – Jagadeesh Aug 22 '17 at 11:53
@Jagadeesh: Please see my updated answer. Your bucket policy should grant `GetObject` access to your Origin Access Identity only. – Khalid T. Aug 22 '17 at 12:03
ya oki. can you consider telling me little more brief as am a beginner, first of all while uploading my files to s3 using npm multer s3 module what are the changes should i make in my code to get signed url? can you give me with an example? – Jagadeesh Aug 22 '17 at 12:07
@Jagadeesh: I can't possibly say what changes needed to be made in your code because I didn't see it. However, I am sure the two links I provided should be enough to get you started. If you are still struggling with it, you could post your code in a new question. Best of luck :) – Khalid T. Aug 22 '17 at 12:29
please check and tel me whether the pricipal you have given in the bucket policy is correct, it is showing me Invalid principal in policy. { "Version": "2012-10-17", "Id": "Policy1476619044274", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity APKAJM2FEVTI7BNPCY4A(sample key)" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket-name/*" } ] } – Jagadeesh Aug 22 '17 at 13:43
@Jagadeesh `APKAJM2FEVTI7BNPCY4A(sample key)` is not a valid Origin Access Identity ID. The ID is usually a 14-character alphanumeric string such as `E2FGH45TOLP32S`. See my updated answer for another alternative for specifying the Origin Access Identity in the Principal statement. – Khalid T. Aug 23 '17 at 06:02
i have corrected its my mistake now i have given and my policy had been updated. but still i am not able to view the content with signed url. https://stackoverflow.com/questions/45821394/how-to-secure-s3-files-with-trusted-signed-users-using-cloudfront-aws-sign have a look at my question. – Jagadeesh Aug 23 '17 at 06:09

Securing s3 files ,Not to display the content when link is given directly in a browser?

1 Answers1