Restricting Image Uploads to S3 Bucket | Fulfilling Specified Customer Requirements

Allowing Only Certain Customers to Upload Images to S3 Bucket | Architect's Recommendations

Prev Question Next Question

Question

It is expected that only certain specified customers can upload images to the S3 bucket for a certain period of time.

What would you suggest as an architect to fulfill this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - B.

The S3 bucket owner can create Pre-Signed URLs to upload the images to S3.

For more information on Pre-Signed URLs, please refer to the URL below.

https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html

Option A is incorrect.

Amazon has provided us with an inbuilt function for this requirement.

This option is expensive and time-consuming.As a Solution Architect, you are supposed to pick the best and cost-effective solution.

Option C is incorrect.

ECS is a highly scalable, fast container management service that makes it easy to run, stop, and manage Docker containers on a cluster.

Option D is incorrect.

SQS is a message queue service used by distributed applications to exchange messages through a polling model and not through a push mechanism.

Note:

This question is based on the scenario where we can use the pre-signed URL.

You need to understand about pre-signed URL - which contains the user login credentials particular resources, such as S3 in this scenario.

And user must have the permission enabled that other applications can use the credential to upload the data (images) in S3 buckets.

AWS Definition:

"A pre-signed URL gives you access to the object identified in the URL, provided that the creator of the pre-signed URL has permissions to access that object.

That is, if you receive a pre-signed URL to upload an object, you can upload the object only if the creator of the pre-signed URL has the necessary permissions to upload that object.

All objects and buckets by default are private.

The pre-signed URLs are useful if you want your user/customer to upload a specific object to your bucket, but you don't require them to have AWS security credentials or permissions.

When you create a pre-signed URL, you must provide your security credentials and then specify a bucket name, an object key, an HTTP method (PUT for uploading objects), and an expiration date and time.

The pre-signed URLs are valid only for the specified duration."

For more information, please visit the following URL:

https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html

To fulfill the requirement of allowing only certain specified customers to upload images to an S3 bucket for a certain period of time, the best solution would be to use pre-signed URLs for uploading the images. Therefore, option B is the correct answer.

Pre-signed URLs are a secure way of granting temporary access to S3 objects. They are generated by the AWS SDK and allow the owner of the bucket to grant time-limited access to a user without sharing their access keys. Pre-signed URLs are signed with an expiration date and time, so they can only be used for a limited period of time.

To implement this solution, you can create an S3 bucket and then create a policy that allows access to specific IAM users or roles. Then, you can generate pre-signed URLs for the specific users and time period that they require access to. These pre-signed URLs can then be sent to the users, who can use them to upload the images to the S3 bucket.

This solution is secure, as the pre-signed URLs can only be used for the time period specified, and only by the specific users that have been granted access. Additionally, there is no need to create a secondary S3 bucket or use ECS containers, which can add unnecessary complexity to the solution.

Therefore, using pre-signed URLs for uploading the images is the best solution to fulfill this requirement.