Amazon-web-services – Amazon S3 see private files

amazon-s3amazon-web-services

I am using Amazon S3 to upload files into different folders. All folders and files are public and can be seen by anyone. I created a private folder, where i want to put private images so that only i can see them. I already created a bucket policy rule that will deny the access to that folder. But how can i see the files ? Is there a special link like this https://s3.amazonaws.com/bucket/private_folder/file.jpg?secret_key=123 that will let me and someone who know`s that secret key to see the files ?

Is there any way of uploading private files that can be seen by using a secret_key, url or something like that ?

Best Solution

By default, all objects in Amazon S3 are private. Objects can then be made "public" by adding permissions, via one of:

  • Object Access Control List (ACL): Setting the permission directly on the object
  • Bucket Policy: Relates to the bucket, can define rules relating to sub-directories, key name (filenames), time-of-day, IP address, etc
  • IAM Policy: Relates to specific Users or Groups

As long as one of these methods grants access, the person will be able to access the object. It is also possible to assign Deny permissions that override Allow permissions.

When an object is being accessed via an un-authenticated URL (eg s3.amazonaws.com/bucket-name/object-key), the above rules determine access. However, even "private" files can be accessed if you authenticate against the service, such as calling an S3 API with your user credentials or using a pre-signed URL.

To see how this works, click a private file in the Amazon S3 Management Console, then choose Open from the Actions menu. The object will be opened. This is done by providing the browser with a pre-signed URL that includes a cryptographically-sized URL and a period of validity. The URL will work to Get the private file only until a defined time.

So, to answer your question, you can still access private files via:

  • The Open command in the console
  • Pre-Signed URLs in a web browser
  • Authenticated API calls

Just be careful that you don't define DENY rules that override even your ability to access files. It's easier to simply ALLOW the directories you'd like to be public.

See: Query String Request Authentication Alternative