带有AWS EC2 Endpoint或S3的iOS

Question

I have an iOS app backed by AWS (EC2 and other services). But I have a question regarding uploading user generated files such as images and videos to the backend. I'm thinking either to upload them directly to S3 buckets or upload to EC2 and let EC2 pass them to S3 buckets. I'm leaning towards uploading to EC2 because I don't want anyone to have write access to my file system, however, this will probably require lots of heavy lifting for my EC2 instance. If I upload directly to S3, how can I ensure the security without using temporary urls (I'm using SDWebImage to download and cache the images, temp urls will cause SDWebImage to download the same images instead of retrieving them from local)? Any suggestions will be highly appreciated.

Answer 1

So you're going to want to decouple this via Lambda.

Don't use EC2. Rather unnecessary.

Create an S3 bucket called "app-whatever"

Keep your bucket PRIVATE. You don't have to give users access to things. They can be private with generated URLs. Let every user have their own folder (this is the prefix).

To be fancy, put every item in S3 from the users end. Have each key randomly generated with ios 'arc4' formula or whatever you want, then append the file type. So blahblab.png

Put a metadata field WITH the file called thumbnail and the value of the filename plus -thumb . So blahblah-thumb.png

Recap: you are uploading a single file to S3 with the metadata field of thumbnail . That's it.

Then create a Lambda function that responds to every single PUT file from S3. If you like Node.JS, use the imagemagick module (nicely included for you) to generate a 128x128 thumbnail or whatever. The lambda function receives the S3 data for the file. Get the main file (key name) for the source file, and the thumbnail metadata will be the output. Run your IM function and put the output file in the S3 bucket. Now you have two files in the bucket. Great.

Now when you list these files, DONT DOWNLOAD EACH ONE. Get the metadata from the file and get a presignedUrl for the key in the metadata.

This will be fast. For an example, check out HD Camera by iSkore on the App Store.

Answer 2

It really depends on what your reasons for restriction are. If you give the app permissions to upload the image to your EC2 server and then it just forwards it to S3, what are you gaining? S3 allows you to use key pre-fixes to restrict objects based on the user (which is easy if you are using Cognito for authentication). For instance you can make it so your S3 structure is something like /images/{userId}/myImage.jpg and each user can only upload to their folder. You can make it totally private, or you can let other users read from that folder but not write ect...

Some thoughts: -You could black list users potentially -You could throttle requests, or inspect and reject certain images -You could have a more complicated security model than S3 provides

You could use API Gateway for the first 2 use cases.

If you do want to use ec2, yes the pre-signed URL will change. I'm not sure how SDWebImage works so I can't comment on it's caching ability.