Amazon S3 Permissions

Question

Amazon S3 Permissions

I use temporary sessions in Amazon S3 with GetSessionToken / GetFederationToken, I plan to have more than 10 thousand users, each of which can be loaded on S3, so I decided to use a bucket for each user and set write permissions (upload) per bucket for each user , but since there is a limit on the number of buckets per Amazon account, I abandoned this idea.

How can I set permission, for example, allow public reading and load only if the prefix is on the key of the object that the user wants to download?

For example, if username X is loading a file, the key should be like X_filename.

Or in any other way that allows me to have security, this is for a mobile application, and I would not want to go through our own servers when downloading a file.

Edit:

I tried the GetFederationToken operation with the following policy

"{ "Statement":[{ "Effect":"Allow", "Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion", "s3:DeleteObject",\"s3:DeleteObjectVersion"], "Resource":"arn:aws:s3:::user.uploads/john/*" } ] }"

I have bucket user.uploads on S3 and the john folder

however, any download with session credentials in bucket user.uploads with the john / filename key fails with access denied "

+4

mobile amazon-s3 amazon-web-services

forcewill Jan 17 '12 at 10:28

source share

1 answer

Geoff appleford · Accepted Answer · 2012-01-17T13:53:09+0000

Amazon Identity and Access Management (IAM) is what you need. There are many examples in the documentation , some of which are relevant to your scenario.

From the docs:

Example 5 : allow a partner to drop files into a specific part of the corporate bucket
In this example, we create a WidgetCo group that represents a partner company, then create a user for a specific person (or application) in a partner company that needs access, and then a user in the group.
Then we attach a policy that gives the PutObject group access to the following directory in the corporate bucket: my_corporate_bucket / add / widgetco.
We also want the WidgetCo group to do nothing with the bucket, so we add an expression that prohibits Amazon S3 Actions other than PutObject on any Amazon S3 resource in AWS. This is only necessary if you use a broad policy elsewhere in your AWS account that provides users with wide access to Amazon S3.
 { "Statement":[{ "Effect":"Allow", "Action":"s3:PutObject", "Resource":"arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*" }, { "Effect":"Deny", "NotAction":"s3:PutObject", "Resource":["arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*"] }, { "Effect":"Deny", "Action":"s3:*", "NotResource": "arn:aws:s3:::my_corporate_bucket/uploads/widgetco/*" }] } 

You must create a new identifier for each user and use it to control access to subfolders (prefixes) as needed.

Amazon S3 Permissions

More articles: