Amazon Web Service (AWS) Private Storage For Authenticated Users

Question

My Project Flow:

1. You go to my website
2. You login with Username and Password that admin made
3. You got to see your dedicated files, private to your account

I already made the basis with Firebase ( Authentication and Storage ). So in Firebase i made this Storage Rules

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /assets/{userId}/{assetsId} {
            allow read;
    }
  }
}

Ilustration storage:

assets/
|----user01/
|    |----user01.jpg
|----user02/
|    |----user02.jpg

basically only that user01 can see user01.jpg & only that user02 can access see user02.jpg if he/she login

Problem:

Now, I am currently want try to remake this project on Amazon Web Services (AWS). I am currently using AWS Cognito which in my understanding is equal to Firebase Authentication & AWS S3 Storage which in my understanding is equal to Firebase Storage .

I am still confuse how to develop with AWS, but i think i already manage how to get the userId (or sub i think in AWS Cognito) if the user login

I try to recreate the Firabase Storage Rules with https://awspolicygen.s3.amazonaws.com/policygen.html for S3 Bucket Policy but there is no condition like only this userId (or sub i think in AWS Cognito) allow to READ his/her private files.

I am new to this Firebase and very new to this AWS things. Please guide me throughly, much appreciated.

Answer 1

You should not use an Amazon S3 Bucket Policy, nor should you put S3 permissions on the user themselves.

Instead, it should work as follows:

• The Amazon S3 bucket should be kept private (no Bucket Policy)
• When a user accesses a web page in your application that wants to show or link to one of the S3 files, the application should:
  • Verify that the user is entitled to access the file
  • If so, generate an Amazon S3 pre-signed URLs , which grants time-limited access to a private object

This way, it is the application that determines access and this is done on any page that references/links to a private object. Generating a pre-signed URL only take a couple of lines of code and does not require an API call back to Amazon S3.

For example: Imagine a photo-sharing website . Photos should be private by default (no access). If a user logs-in and wants to view a photo online, the application that generates the HTML page would use an <img src=...> tag, but the URL will be a pre-signed URL . This means the web browser will display the image on the page. Similarly, if there is a download link to the image, the URL should be a pre-signed URL. Also, users might choose to share a picture with another user. Such information would be kept in a database. When another user wants to view the shared image, the application would check the database, verify the permission, then provide a pre-signed URL. This moves the "ownership" away from the path (where the image is stored) and into the database .

I'm not a Firebase user, so I don't know what capabilities it has, but the above is the recommended way to manage user access to private files in S3.