如何在 Amazon S3 上安全地存储图像

Question

I want to securely store images on Amazon S3, or elsewhere in AWS.

I'm looking for a solution similar to FireBase'sUser Security

In firebase what i want to achieve would work something like this:

// Only a user or admin can read and write their passport
match /users/{userId}/passport.png {
  allow read: if request.auth != null && request.auth.uid == userId || request.auth.admin == true ;
  allow write: if request.auth != null && request.auth.uid == userId || request.auth.admin == true;
}

Thank you!

Answer 1

There are many avenues to explore with S3 and I have broken them down below.

Authorization

Permissions in AWS are primarily controlled via IAM . You would create a policy with the permission set, then attach this to either a user, group or role within AWS. Your application would use the user or role to communicate with the S3 APIs.

S3 also support bucket policies that allow further conditional based requirements such as source (VPC endpoint, IP address etc) to lock down the maximum permissions another principal (such as your IAM user or even another account) can use.

If you need to lock down specific objects, you can make use of S3 ACLs to apply permissions.

Encryption in Transit

S3 supports encryption in transit. Using S3's HTTPs endpoint you can ensure that your data will be encrypted whilst it traverses the internet. If you want to keep this communication private you can enhance this process by using a VPC endpoint to keep all communication within the AWS backbone.

Encryption at Rest

S3 has many methods of encrypting data at rest. The options are as follows:

• SSE-S3
• SSE-KMS
• SSE-C
• Client-side encryption