How to enable AWS-S3-security policy for files uploaded in S3

Question

I am working on application in which we upload customers' videos, pdfs and other confidential documents on S3 bucket.

Currently, a customer can play these videos in videogular component(Angular component) and PDF files can be read in PDF component.(Angular Component)

My concern is about its security.

I want that customers can play/read only their video/pdf. No one can download/play/read these things.

1.) How can I achieve that?

2.) Which are the things which I have to enable/disable on my S3 bucket. (S3 Bucket policy)

3.) We do not have IAM roles configured. Do we need it?

I have no clue about this... It would be great if some one can guide/provide some useful links.

Thanks in advance.

score 1 · Answer 1 · answered Nov 08 '17 at 15:08

I assume each user has it's own folder in your S3 bucket.

1. I would process the folder and files on the back end and show each user only files they are supposed to see by using their user IDs.

Suppose your S3 bucket is named inventory, and my username is ABC123, there should be a folder like: s3://inventory/ABC123/ . or s3://inventory/(your customized user ids)/

I would make the url to S3 bucket in my app based on user IDs.

and when you show the files to your users, the url in the browser must be changed so they cannot see the real path to the file.

2.

If you need to have access to the previous version of the files you can activate Versioning.
logs for access requests.
File encryption
Tags if you are concerned about the cost

3. (If you mean IAM roles for your users), If you handle access to your S3 bucket by your app, you don't need it.

I have posted my answer. Thanks again for the help. – Manan Shah Nov 14 '17 at 05:51 — Manan Shah, Nov 14 '17 at 05:51

score 0 · Accepted Answer · answered Nov 14 '17 at 05:50

Finally, I got the answer.

Answer of First Question: What @Cyrus has mentioned in his answer is absolutely correct. Addition to that answer I want to add few more points in it.

as he has rightly mentioned...

when you show the files to your users, the url in the browser must be changed so they cannot see the real path to the file.

which gives me hint about CDN(Content Delivery Network) server.

Finally, we would go for CDN-S3 combination.

It means Client would only exposed to CDN url(s). (Not S3 url(s)) And those would be Pre signed URL (Secure as well as temporary url.)

One can read more about from here: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

Answer of (2) and (3): as @Cyrus mentioned.

How to enable AWS-S3-security policy for files uploaded in S3

2 Answers2