Rails implementation for securing S3 documents

Question

I would like to protect my s3 documents behind by rails app such that if I go to:

www.myapp.com/attachment/5 that should authenticate the user prior to displaying/downlo

Answer 1

I would vote for number 3 it is the only truly secure approach. Because once you pass the user to the S3 URL that is valid till its expiration time. A crafty user could use that hole the only question is, will that affect your application? Perhaps you could set the expire time to be lower which would minimise the risk? Take a look at an excerpt from this post: Accessing private objects from a browser

All private objects are accessible via an authenticated GET request to the S3 servers. You can generate an authenticated url for an object like this:

S3Object.url_for('beluga_baby.jpg', 'marcel_molina')

By default authenticated urls expire 5 minutes after they were generated.

Expiration options can be specified either with an absolute time since the epoch with the :expires options, or with a number of seconds relative to now with the :expires_in options: