我正在开发一个React Native应用程序,供用户将文件上传到Amazon S3并稍后检索它们。 我现在最关心的是如何以只有文件的所有者才能访问它的方式来实现这个机制。
我的第一个想法是实现一个中间服务器来控制对Amazon S3服务器的所有访问,但这需要大量时间/工作来保证服务器的安全。
我的第二个想法是为每个新用户创建一个IAM令牌,并创建具有正确权限的文件夹,只有该文件夹的所有者才有权访问它。 但是研究亚马逊IAM服务的局限性,我发现每个AWS账户的最大IAM账户数量是5000。
这种情况比第一种情况有更好的方法吗? 如果没有,必须采取哪些措施才能保证服务器的安全并保持Amazon S3上的文件安全?
I'm developing a React Native application where users will upload files to Amazon S3 and later retrieve them. My biggest concern right now is how to implement this mechanism in a way that only the OWNER of the file can access it.
My first idea was implement a middle server to control all access to Amazon S3 server, but this would demand a lot of time/work to make the server secure.
My second idea was to create an IAM token for every new user and create folders with the right permissions that only the owner of the folder will have access to it. But researching on the limitations of Amazon IAM service, I found that the maximum number of IAM accounts for each AWS account is 5000.
Is there a better approach for this situation than the first one? If not, what MUST be done to make the server secure and keep the files on Amazon S3 safe?
最满意答案
你可以在这个帖子https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html
有效地,你可以用用户名前缀文件名(s3键),并写入s3策略以允许用户访问(读取或写入)具有其用户标识的文件(在某些地方有这样的s3策略,现在我无法找到它,只是搜索它)
Amazon IAM服务的局限性
您可以使用AWS Cognito对IAM限制之外的用户进行身份验证,并为用户存储制定通用策略
you can have at this post https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html
effectively you can prefix file names (s3 keys) with the user id and write s3 policy to let users access (read or write) only files with their user id (there is such s3 policy somewhere, I am unable to find it now, just search for it)
limitations of Amazon IAM service
you can use AWS Cognito to authenticate users outside IAM limitations and having common policies for the user store
更多推荐
发布评论