Rails implementation for securing S3 documents

Question

I would like to protect my s3 documents behind by rails app such that if I go to:

www.myapp.com/attachment/5 that should authenticate the user prior to displaying/downlo

Answer 1

You'd want to do two things:

1. Make the bucket and all objects inside it private. The naming convention doesn't actually matter, the simpler the better.

2. Generate signed URLs, and redirect to them from your application. This way, your app can check if the user is authenticated and authorized, and then generate a new signed URL and redirect them to it using a 301 HTTP Status code. This means that the file will never go through your servers, so there's no load or bandwidth on you. Here's the docs to presign a GET_OBJECT request:

https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/S3/Presigner.html

Answer 2

I would vote for number 3 it is the only truly secure approach. Because once you pass the user to the S3 URL that is valid till its expiration time. A crafty user could use that hole the only question is, will that affect your application? Perhaps you could set the expire time to be lower which would minimise the risk? Take a look at an excerpt from this post: Accessing private objects from a browser

All private objects are accessible via an authenticated GET request to the S3 servers. You can generate an authenticated url for an object like this:

S3Object.url_for('beluga_baby.jpg', 'marcel_molina')

By default authenticated urls expire 5 minutes after they were generated.

Expiration options can be specified either with an absolute time since the epoch with the :expires options, or with a number of seconds relative to now with the :expires_in options:

Answer 3

I have been in the process of trying to do something similar for quite sometime now. If you dont want to use the bandwidth twice, then the only way that this is possible is to allow S3 to do it. Now I am totally with you about the exposed URL. Were you able to come up with any alternative?

I found something that might be useful in this regard - http://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempFederationTokenRuby.html

Once a user logs in, an aws session with his IP as a part of the aws policy should be created and then this can be used to generate the signed urls. So in case, somebody else grabs the URL the signature will not match since the source of the request will be a different IP. Let me know if this makes sense and is secure enough.