DEV Community

loading...

Discussion on: Share Your AWS S3 Private Content With Others, Without Making It Public

Collapse
idrisrampurawala profile image
Idris Rampurawala Author

Hey, it is safe in the sense that you decide the users who will get access to the resource, but do evaluate on the following points:

  • Restrict access by ensuring Limiting presigned URL capabilities
  • Always generate a URL with an expiry
  • The access key and token shared in the presigned-url are generated at runtime and one cannot easily manipulate the url (check was docs)
  • Try not to disclose your S3 path in the URL (use CloudFront)
  • Lastly, avoid sharing your S3 files if it contains sensitive information. Rather mask if for the end-users.

Hope it solves your queries.

Collapse
l222p profile image
l222p

Thanks,

Want I want to display images on my site, those images are located in S3 and they're encrypted. Right now, what I do is download the image in the backend using the S3 GetObject API, but I don't like it since the front-end should download them. So, I pre-signed them and send it this way and then I realized they contain ApiAccess and ApiToken.

I don't think this is ok haha, What should I do? How can I use CloudFront to "hide" the s3 path?

Thanks

Thread Thread
idrisrampurawala profile image
Idris Rampurawala Author

Hi,

If your front-end is using resources from S3, then I would suggest you add S3 bucket permissions to restrict the access outside your domain.

You can then directly expose that S3 bucket containing images on the front-end via Cloudfront. I do not see any use-case of using a pre-signed URL here as ur images might be restricted to your own domain and optionally authenticated users.

Hope it answers your queries.

P.S. Check this post for using CloudFront in front of S3