Authenticate with web server before uploading/downloading file to AWS S3

Question

I want to create an android application and use AWS s3 as a storage service to allow the user to upload and download files. I have studied something about S3 REST service, which can help me achieve the same, after configuration of IAM Role for Bucket etc.

Now thing is, I want only the registered users of my application/ with access control configured at my web server(username/password) should be allowed to upload/download the file and not anyone with only app access should be allowed.

Look the link below as well, to have some idea about AWS S3 upload file using REST

http://www.tothenew.com/blog/file-upload-on-amazon-s3-server-via-rest-api-call/

Putting simply, in addition to that described in the link above, I just need the answer to the following questions:

1) How to allow only registered users?
2) Is it good practice to hard code AWS S3 secretKey etc in the production application.
3) Does hardcoding these values in my app could lead to a scenario where even an unregistered user of my application could be able to upload/download the file to aws s3?

All suggestions are welcome, if-if they solve part of the puzzle, as I am completely unaware of the solution

It would be very helpful..., Thanks in advance,

Answer 1

1. For sure it is not best practice to hard code secret keys inside your codes..

2. Now if you want to separate the authorized and the unauthorized users one AW services that does this job and more is AWS Cognito . You can find a lot in the aws documentation https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-console.html

A few things for Cognito :

1. You have Amazon Cognito User Pools tha provides :

   • Sign-up and sign-in services.

   • A built-in, customizable web UI to sign in users. Social sign-in with Facebook, Google, and Login with Amazon, as well as sign-in with SAML identity providers from your user pool.

   • User directory management and user profiles. Security features such as multi-factor authentication (MFA), checks for compromised credentials, account takeover protection, and phone and email verification.

2. You have Amazon Cognito Identity Pools (Federated Identities) that provides :

   • Users in an Amazon Cognito user pool
   • Users who authenticate with external identity providers such as Facebook, Google, or a SAML-based identity provider
   • Users authenticated via your own existing authentication process

Answer 2

This how it works in my application

1. Ask user register/login using aws cognito
2. deploy an api via api gateway that acts as proxy for S3 services
3. For the api , apply AWS cognito as Authorizer in api gateway

This however has a limitation on size of object

The option I have tried is use signed urls, and this is spit out by back end application upon registered users access requests. My implementation includes below 1. Client requests signed urls using an api with a lambda implementation 2. Lambda generates signed urls and passes on the response. 3. while creating signed urls, key/id are used from a parameter store (see EC2 parameter store) secured against role and with a KEY.

I think from your use case , EC2 parameter store (instead of database) should be sufficient to securely keep secretes.