All geek questions in one place

Amazon S3 boot authentication

I created a bucket in Amazon S3 and uploaded 2 files to it and made them public. I have links through which I can access them from anywhere on the Internet. Now I want to limit the ability to download files. Can someone please help me with this. I tried the documentation, but was confused.

I want it to have to request some credentials or something else at boot time using a public link in order to authenticate the user at that time. Is it possible?

+5
source share
1 answer

By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done with:

  • Access Control List Permissions for Individual Objects
  • Bucket Policy
  • IAM Users and Groups
  • Pre-signed URL

As long as at least one of these methods provides access, your users will be able to access objects from Amazon S3.

1. Access control list at individual sites

The Make Public in the Amazon S3 management console will grant Open/Download permissions to all Internet users. This can be used to share specific objects.

2. Statement policy

A Bucket Policy can be used to provide access to the entire bucket or part of the bucket. It can also be used to indicate access restrictions. For example, a policy can make a specific directory on the web publicly available to users from a specific range of IP addresses at a specific time of the day and only when accessing the bucket via SSL.

Bucket policy is a good way to provide public access to many objects (for example, to a specific directory) within the need to specify permissions for each individual object. It is commonly used for static websites served from an S3 bucket.

3. IAM Users and Groups

This is similar to a Bucket policy definition, but permissions are assigned to specific users or user groups. Thus, only those users have permission to access objects. Users must authenticate when accessing objects, so this is most often used when accessing objects through the AWS API, for example, using aws s3 commands from the AWS command-line interface (CLI) .

Instead of requesting authentication, users should provide authentication when calling the API. An easy way to do this is to save the user credentials in a local configuration file, which the CLI will automatically use when calling the S3 API.

4. Pre-signed URL

A pre-signed URL can be used to provide access to S3 objects as a way to “override” access controls. You can access a regular private property through a URL by adding an expiration time and a signature. This is a great way to serve private content without requiring a web server.

Typically, a pre-signed URL is created by the application when it wants to grant access to the object. For example, let's say you have a site for sharing photos, and the user is authenticated on your site. Now you want to display your photos on a web page. Images are usually private, but your application can generate pre-signed URLs that give them temporary access to images. The pre-signed URL will expire after a specific date / time.

+9
source

Source: https://habr.com/ru/post/1232592/

More articles:


All Articles