0

I want to use S3 to store user uploaded excel files - obviously I only want that S3 file to be accessible by that user.

Right now my application accomplishes this by checking if the user is correct, then hitting the URL https://s3.amazonaws.com/datasets.mysite.com/1243 via AJAX. I can use CORS to allow this AJAX only from https://www.mysite.com.

However if you just type https://s3.amazonaws.com/datasets.mysite.com/1243 into the browser, you can get any file :P

How do I stop S3 from serving files directly, and only enable it to be served via ajax (where I already control access with CORS)?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Don P
  • 60,113
  • 114
  • 300
  • 432
  • A similar question with signed URLS is here - http://stackoverflow.com/questions/10811017/how-to-store-data-in-s3-and-allow-user-access-in-a-secure-way-with-rails-api-i - but it is a bit outdated (2 years old) and I think there is an easier solution just by preventing direct requests. – Don P Mar 20 '14 at 16:15

1 Answers1

1

It is not about AJAX or not, it is about permissions and authorization.

First, your buckets should be private unlike their current state which is world visible.

Then in order for your users to connect, you create a temporary download link which in AWS world called S3 Pre-signed Request.

You generate them in your back-end, here is a java sample

Enjoy, R

Froyke
  • 1,115
  • 7
  • 13
  • Thanks Froyke - do you know how to make an s3 bucket private? – Don P Mar 23 '14 at 00:15
  • you can do it using the API or from the web management console. Just right click on the bucket - and tune its permissions on the right panel. Also note to check your objects (files) inside the bucket - as they could have different permissions. – Froyke Mar 26 '14 at 06:59