This is my first post here - really loving this f...
# helpd
David Rollins
03/10/2022, 12:58 AMThis is my first post here - really loving this framework. I have a Cognito protected endpoint - I also have thumbnails I pop into an S3 bucket and I only want authenticated users to be able to reference those thumbnails - I display them in a list UX - but I do not want any one who grabs the url to these things to be able to down load them unless they are authenticated. The thumbnails are of architecture diagrams so they are not something I want made public. My current set up is the thumbnails are in an s3 read public bucket and I reference the public url of the objects in my code - but those links are really public which I do not want. It works but the image urls are not protected. How should I go about protecting these image urls?
k
Kevin Doveton
03/10/2022, 2:26 AMS3 signed URLs? Use a short expiry so that if someone copies the link then it will have expired by the time they try to send use it. Also make sure that your thumbnail is only as big as it needs to be, probably no more than 100px I imagine... that way there isn't enough detail to be able to make use of the diagram anyway.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/ShareObjectPreSignedURL.html
f
Frank
03/10/2022, 3:52 AM
Thanks @Kevin Doveton.
Frank
03/10/2022, 3:54 AM
Theoretically, you can also make the bucket private, and grant S3 read permissions to the authenticated users. So in ur frontend, you can make AWS SDK call to S3 to download the image, and then display them on the page.
Frank
03/10/2022, 3:55 AM
I haven’t given this enough thoughts. I think what @Kevin Doveton suggested makes sense, and easier to setup as well.
d
David Rollins
03/10/2022, 11:21 AMWell @Kevin Doveton that is a great point if I make the thumbnail only serviceable as thumbnails there is nothing to do. I do like stuff that does not need to be solved LOL. I am familiar with pre-signed urls - I use a pre-signed url to support uploads for this app. What I was really after though was a way to reference these things in image tags - so I was thinking the authentication piece would be in API GW or something and the S3 bucket url is not used per se - like you have to go through the authenticated front door to get at the thing but other than that it’s just another image URI.
David Rollins
03/10/2022, 11:22 AMHopefully that makes sense. I see the proxy pattern in the docs but that would just expose the object uri again so if someone knows that they can still pull the thing down - get around the auth layer. Better I suppose.
David Rollins
03/13/2022, 10:40 PM@Frank - no other ideas on this one - I would ideally have a secure path from apigw or cloud front to the bucket I could use to pull down these images into <img> tags
f
Frank
03/22/2022, 7:20 AM
Yeah, that’d definitely give u the most flexibility on who can/canot view the image.
d
David Rollins
04/02/2022, 2:34 PMOk so I think what I want to do is set up a separate bucket behind cloud front accessed via OAI with say a behavior that says anything /images/*.png would pull stuff from that target bucket. This target images bucket would not be public and only accessible via cloud front behind Cognito login. This I think is what I need to set up.
David Rollins
04/02/2022, 2:34 PMI saw this somewhat related thread out there - https://serverless-stack.slack.com/archives/C01JG3B20RY/p1634139022095600
2 Views