I'm working on a site that is probably destined for AWS hosting. This leads to a question about access rights to stuff that would be stored in S3 buckets:
- I set up an EC2 server for the site, and an S3 bucket to hold some of the site's stuff.
- Alice and Bob create accounts on my site.
- Alice and Bob both upload files that end up in the bucket.
- Alice should be able to see her file but not Bob's, and vice versa.
- Anonymous users of the site should be able to see neither file.
Is this possible with S3? My impression is that this is what AWS IAM is for; is this correct? I'm slowly getting past my AWS newbie-ism, but I'm not quite there yet -- thanks!
Yes, this is possible. Here is the design pattern that you'll want to implement. The short version: You'll create an IAM user account for each Alice and Bob. They get their own AWS access keys that will be used to access the S3 bucket. You'll then apply a S3 policy to the bucket in question.
Where most people get confused is that "IAM policies" and "S3 bucket policies" are two, different things and both need to be set up.
It should be up to the application to dictate access. S3 is designed for being accessed by applications and not for direct file storage with permissions and the like.
Create separate users and separate IAM policies and attach 1 policy to each user.
I've provided this policy in this question already: AWS/S3 - creating a user (through console) to grant r/w bucket perms to for 1 bucket?