安全的AWS S3文件网址

Question

I have some business related documents in my platform uploaded by each user and once uploaded, this is stored in the AWS S3 bucket. My requirement is like the user should be able to access this content only by the URL's provided from the application. Right now, I have S3 url's but this can be used any number of times.

First of all, is this possible in AWS S3 ?

If possible what is the technique ? How can we do this ?

Answer 1

You'll want to look at securing your bucket so it's only accesible from your application (use an instance role with access to the bucket). Then serve pre-signed URLs. There are many AWS documents describing how to do this depending on the language. You can review some of those here .

Answer 2

It is possible to generate a S3 link with an expires timestamp.

An example in python found here :

#!/usr/bin/env python
# Create a time-bombed URL from an S3 object
# Parameters: s3_url [timeout]
# timeout defaults to 1 minute if not specified
# requires the boto module
import sys,re
try:
  testArg=re.match('s3:\/\/',sys.argv[1])
except:
  print ("usage: " + sys.argv[0] + " s3_object ttl_in_sec")
  sys.exit(1)
if not testArg:
  print "need a valid s3 object as arg"
  sys.exit(1)
try:
  sys.argv[2]
  expTime=int(sys.argv[2])
except:
  expTime=60
(bucket,key)=re.split('/',re.sub('^s3:\/\/','',sys.argv[1]),maxsplit=1)
testKey=re.match('\w',key)
if not testKey:
  print ("something wrong with this url - I have a key of: " + key + " - bailing")
  sys.exit(1)
from boto.s3.connection import S3Connection
s3=S3Connection()
url = s3.generate_url(expTime, 'GET', bucket=bucket, key=key)
print (url)

would create a link like this one:

https://runascloud-tmp.s3.amazonaws.com/medium/testFile.txt?Signature=6eAuqcwJtpy4RLbIB7LsvTDt7g4%3D&Expires=1569188257&AWSAccessKeyId=AKIAIHPTZ74AMD3GGAMQ

which expires after X time has passed.