AWS S3 Video Upload Permissions: Best Practices for Temporary Access

Allowing Users to Upload Videos to an S3 Bucket: One-Week Access Profile

Prev Question Next Question

Question

An application hosted in AWS allows users to upload videos to an S3 bucket.

A user is required to be given access to upload some videos for a week based on the profile.

How could this be accomplished in the best way possible?

Answers

A. Create an IAM bucket policy to provide access for one week.

B. Create a pre-signed URL for each profile which will last for one week.

C. Create an S3 bucket policy to provide access for one week.

D. Create an IAM role to provide access for one week.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B.

Pre-signed URLs are the perfect solution when you want to give temporary access to users for S3 buckets.

So, whenever a new profile is created, you can create a pre-signed URL to ensure that the URL lasts for a week and allows users to upload the required objects.

For more information on pre-signed URLs, please visit the following URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html

For Choice D, the maximum time you can set for IAM Role Session is 12 hours.

So this doesn't satisfy the 1-week requirement.

Ref: https://docs.aws.amazon.com/singlesignon/latest/userguide/howtosessionduration.html.

The best way to accomplish providing temporary access to upload videos to an S3 bucket in AWS is by creating a pre-signed URL for each user profile that will last for one week.

A pre-signed URL is a unique URL that provides temporary access to an S3 object. The pre-signed URL can be used to upload, download, or delete an object without requiring AWS credentials. When a user requests the pre-signed URL, the URL is generated by AWS and includes a signature that verifies the user's credentials and authorizes the user to access the specified S3 object.

Creating a pre-signed URL for each user profile ensures that each user is given a unique URL that expires after one week. This method provides granular control over access to S3 objects and limits the scope of access to only the necessary resources. Additionally, the use of pre-signed URLs does not require any additional AWS resources, such as IAM roles, policies, or bucket policies.

Creating an IAM bucket policy, S3 bucket policy, or IAM role to provide access for one week is not the best approach. IAM bucket policies and S3 bucket policies are used to grant or deny access to a bucket or object for specific AWS accounts, IAM users, or roles. They are not suitable for providing temporary access to a specific user for a limited time. IAM roles are intended to grant access to AWS services and resources from within an instance or application running on an EC2 instance or other trusted environment.

Therefore, the correct answer is B. Create a pre-signed URL for each profile which will last for one week.

Prev Question Next Question