The question is pretty vague but here's the entire problem statement. I am using Django REST APIs, and I'm generating invocies for my clients. Using wkhtmltopdf, I'm able to generate a PDF file which gets automatically backed up to S3. Now, we need to retreive the said invoice once our client clicks on a link.
We're using pre-signed URLs right now, which last for 12 hours, right? Once that link expires, the entire backend fails.
I mean, even if we go for permanent pre-signed links, would there not be a security issue?
I could really use some guidance on this.
Now, we need to retreive the said invoice once our client clicks on a link.
We're using pre-signed URLs right now [...]
Only generate the pre-signed URL for a given S3 URI when the authenticated client clicks on the link. You can then give it a very short expiry.
Related
I am developing a LMS in Laravel and uploading all the video files to aws s3 bucket and can play them using video js player. But problem is, users can download the video files, which I want to stop. Can anybody suggest me is it possible or not? If possible, can anyone tell me how can I do that?
Objects in Amazon S3 are private by default.
However, if you wish students to make use of a file (eg a learning course video), you will need to grant access to the file. The best way to do this is by using Amazon S3 pre-signed URLs, which provide time-limited access to a private object.
For example, the flow would be:
A students logs into the LMS
A student requests access to a course
The LMS checks whether they are entitled to view the course (using your own business logic)
If they are permitted to use the course, the LMS generates a pre-signed URL using a few lines of code, and returns the link in a web page (eg via an <a> tag).
The student can access the content
Once the expiry duration has passed, the pre-signed URL no longer works
However, during the period where the student has access to the file, they can download it. This is because access has been granted to the object. This is necessary because the web browser needs access to the object.
The only way to avoid this would be to provide courseware on a 'streaming' basis, where there is a continuous connection between the frontend and backend. This is not likely to be how your LMS is designed.
While ago I've uploaded an image to the Google Cloud Platform bucket and made it public. Direct link, from GCP looks like this:
But this link, when put as Avatar URL to the Hangouts Chat API is not working (showing default avatar on hangouts chat, instead of mine).
I also found a way to create an url, its: https://storage.googleapis.com/[bucket]/[file] and this one is working, no idea why.
And my question is, why "official" link is not working, while the second one is working? What's the difference between them, difference between storage.cloud.google.com vs storage.googleapis.com?
This should help you understand better what's the difference between the two links.
Access to public objects
All requests to the storage.cloud.google.com URI require authentication. This applies even when allUsers have permission to access an object. If you want users to download anonymously accessible objects without authenticating, use the storage.googleapis.com URI documented in Direct API requests. For details and examples, see Accessing Public Data.
Here you have more information on the topic.
Hope this helps :)
I have been trying to find an answer to this question for a couple of hours now, but have not managed to come up with a conclusive answer. I am hoping someone here will be able to shed some light on my question. Consider the following Example AWS S3 URL:
https://some-bucket.s3-eu-west-2.amazonaws.com/uploads/images/some_image.jpg?X-Amz-Expires=600&X-Amz-Date=20170920T124015Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI6CJYFYSSWMXXXXX/20170920/eu-west-2/s3/aws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=0481296b70633de9efb2fce6e20751df2f55fd79b5ff9570c02ff8f587dce825
In my specific example, the above URL is a request to view an image on S3 which I am exposing directly in a HTML img tag, and the user in Amz-Credential has both read and write permissions. The URL is also set to expire in 10 minutes.
Is is safe to link to the image directly via this URL, or is there any possibility that within these 10 minutes, the signature from this URL could be used in a maliciously crafted REST request to delete or modify the image instead of viewing it?
I do suspect a different action will have a different signature to make this impossible, but given my very limited understanding of AWS auth, I thought it better to ask just in case.
I know I could create a read-only user (extra complexity) or hide the S3 URL behind a controller action on my own web app (requires 2 total requests to load each image, making it inefficient), but I would rather learn whether my current approach is safe or not before resorting to either of these.
Thank you kindly for your time. :)
If your pre-signed url has PUT or DELETE permission someone could try to get the Signature + AccessKeyId to overwrite or delete your object.
Just make sure that you are signing the url with a read-only permission and I guess you're good.
Good Day Everybody,
I'm fairly new to AWS, and I have a problem right now. I'm not even sure if this is something that is possible with S3. I tried googling it, but couldn't find any proper response (Probably because the keywords I searched doesn't make much sense ;) ).
So my problem is this, I have an node application which uploads user images to S3. I wan't to know how to properly access this images later in the front-end(Some sort of direct link). But at the same time, I should be able to restrict the users who can access the image. For eg: If user xyz uploads an image only that user should be able to see it. Another user say abc tries to open the direct link, it should say access restricited or something similar.
Or if that is not possible, atleast I should be able to put an encrypted timestamp on the get url, so that the image will be accessible through that particular url for only a limited amount of time.
Thanks in advance.
This is the typical use case for S3 Pre-signed URLs.
In S3, you are able to specify some query strings on the URL of your object that include an Access Key, an expiration timestamp and a signature. S3 validates the signature and checks if the request has been made before the expiration timestamp. If that's the case, it will serve the object. Otherwise, it will return an error.
The AWS SDK for JavaScript (Node.js) includes an example on how to generate pre-signed URLs: http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/node-examples.html#Amazon_S3__Getting_a_pre-signed_URL_for_a_getObject_operation__getSignedUrl_
I have people uploading video content and I'd like to restrict the video content to ONLY be streamed from my site. Since the video URLs in the video tag are easily accessible through the HTML source, I was to stop people from copying the direct s3 url and putting it in another tab.
I was looking over the docs here: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Condition
But it wasn't immediately obvious to me.
Thanks for your help!
You need to make this bucket private and use the signed URL to give access only to your users on your website. Signed URLs have short life (and required policy baked into it) when you generate them. This will prevent misuse even if somebody steals the URLs (or sends you the faked referrer headers etc).
You can create these URLs manually (difficult to manage) or programmatically (some coding work required). In the second case, once your website user contacts your server, then generate and serve the auto-expiring URL. Use this URL then on your website.
Overview of Signed URLs - Amazon CloudFront.