1

Using Amazon's S3 storage, is it possible to set an image to only be viewable to specific users of an application?

I've looked at the policy generator, but I can't seem to find what I'm looking for.

Some of the information on this documentation page sounds relevant. Could I achieve this with signed URLs or IAM users? Ideally, the users of the app do not have to create an AWS account.

macsj200
  • 149
  • 3
  • 12
  • [This SO question](http://stackoverflow.com/questions/6615168/is-there-an-s3-policy-for-limiting-access-to-only-see-access-one-bucket) is somewhat related, but I'm not sure how to directly apply that information. – macsj200 Jan 29 '17 at 07:08
  • This question needs clarification. You want to make an image viewable to "specific users" of an app. How are those users selected or identified? What platform is your app written in? How secure do you need this to be? What is the importance of browser caching to what you are doing? (Your conclusion about signed URLs impacting caching is correct but does not necessarily rule them out entirely.) – Michael - sqlbot Jan 29 '17 at 15:26

1 Answers1

2

By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:

  • Access Control List (ACL) permissions on individual objects
  • A Bucket Policy
  • IAM Users and Groups
  • Pre-Signed URLs

Given that you wish to grant access to application users, the recommended method is a Pre-Signed URL.

A Pre-Signed URL can be used to grant access to S3 objects as a way of "overriding" access controls. A normally private object can be accessed via a URL by appending an expiry time and signature. This is a great way to serve private content to users without having to define every user within IAM. (It is recommended to only use IAM for staff, not application users.)

A pre-signed URL can be generated from a few lines of code. A quick way to experiment is to use the AWS Command-Line Interface (CLI), which has a aws s3 presign command.

See: AWS CLI aws s3 presign documentation

There are equivalent commands for all AWS SDKs in various programming languages.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    Thanks, signed URLs look like a viable option. Do you know if using a signed (changing) URL clobbers image caching? Also, if I understand correctly, **anyone** could potentially use the signed URL to access the resource before it expires, is there any way to lock it down further? – macsj200 Jan 29 '17 at 08:49
  • 1
    You are correct -- anyone with the Pre-Signed URL can access the resource within the given timeframe. No further limitations available that apply only to one file (there are Bucket Policies, but they apply to the whole bucket/path, such as IP address restrictions). Caching should still be supported since only parameters (after the `?`) are changed, but it might depend upon the browser and cache-control-headers. – John Rotenstein Jan 29 '17 at 22:50