Trying to understand S3...How do you limit access to a file you upload to S3? For example, from a web application, each user has files they can upload, but how do you limit access so only that user has access to that file? It seems like the query string authentication requires an expiration date and that won't work for me, is there another way to do this?
You will have to build the whole access logic to S3 in your applications
There are various ways to control access to the S3 objects:
Use the query string auth - but as you noted this does require an expiration date. You could make it far in the future, which has been good enough for most things I have done.
Use the S3 ACLS - but this requires the user to have an AWS account and authenticate with AWS to access the S3 object. This is probably not what you are looking for.
You proxy the access to the S3 object through your application, which implements your access control logic. This will bring all the bandwidth through your box.
You can set up an EC2 instance with your proxy logic - this keeps the bandwidth closer to S3 and can reduce latency in certain situations. The difference between this and #3 could be minimal, but depends your particular situation.
- Have the user hit your server
- Have the server set up a query-string authentication with a short expiration (minutes, hours?)
- Have your server redirect to #2
I've been dealing with this, too. Don, who wrote the S3 PHP class I'm using, pointed out you can use dirs inside buckets. So you can put your file in a dir with a random string and then redirect to that. mybucket.amazon.net/wef49kfe4j409jf4f4f9jdfd/myfile.zip While not at all secure, you can control access to it by changing permissions or creating and deleting it (keep the original securely in a different bucket) as necessary.
DragonDisk is a fast S3 client with an intuitive graphical user interface : http://www.dragondisk.com