Services Plugins FAQs

S3 upload Security

#1

Hi,
I was able to setup the plugin as advised in the documentation. The plugin is successfully pushing the file to S3 and returning the Url for the file.

The current setting allows anyone who is not logged into the app to access the file if they have a link.

Can anyone help me to tighten this solution from security perspective?
In my usecase only logged in user of my app who is the owner of his file should be able to get access to the link and view the file.

Any help will be highly appreciated. Big thanks in advance.

#2

Hey, @satish.sreenivasan
Thanks for the question.

Please note that the requested feature is related to the Bucket Policies and Permissions, which should be configured within your AWS console.

In the ‘Bucket Policy’ area you can configure the rules for security and privacy via Bucket Policy. Take a look at the “Action”, “Resource” and “Condition” fields where we grant access to reading the objects from our bucket. In this case, we are granting read file access only to users from our application domain, so if a user gets an image URL and tries to open it in a new tab or a new window, the bucket policy will block this request because we stated in the privacy rules that the link can be opened only from our domain:

Here’s a code example (JSON):


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",            
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "https://zeroqode-demo-02.bubbleapps.io/*"
                }
            }
        },
        {
            "Sid": "AddPerm2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*"
        }
    ]
}

You can use the following JSON for CORS policy to allow access from your domain only (change the allowed origin to the URL of your app starting with https://)

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "DELETE",
            "POST"
        ],
        "AllowedOrigins": [
            "https://yourdomain.com",
            "https://yourdomain.bubbleapps.io"
        ],
        "ExposeHeaders": [
            "ETag"
        ],
        "MaxAgeSeconds": 30000
    }
]

You can find more Bucket Policy examples here. Feel free to try out other rules in order to improve your bucket security.

Note that you can set any policies, which would be convenient for your application.

Hope it will be helpful for you.
Best regards,

#3

@Ecaterina Thank you so much for your responses. It is very interesting to see that i have exact same setting applied to my bucket
JSON

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myfiles/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": "mydomain.com/*"
                }
            }
        },
        {
            "Sid": "AddPerm2",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "*",
            "Resource": "arn:aws:s3:::myfiles/*"
        }
    ]
}

COR

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "DELETE",
            "POST"
        ],
        "AllowedOrigins": [
            "https://mydomain.com"
        ],
        "ExposeHeaders": [
            "ETag"
        ],
        "MaxAgeSeconds": 30000
    }
]

If I copy the link from my app database and paste it in a different browser, the file still opens
Also as my bucket is Public, I am not sure how secure it is.
I am very new to programming world. Thanks for all the super prompt support.

#4

Hello, @satish.sreenivasan

Please note that all the settings, provided above, are optional. So, on our Demo Page, we just demonstrate the standard Privacy settings (they are identical to those in our Documentation).

Selecting the settings that will allow you to allow and deny actions that you need is a custom setting, thus we can’t provide you with an exact combination of policies.

For example, you can use the following JSON for CORS policy to allow access from your domain only (change the allowed origin to the URL of your app starting with https://)

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "DELETE",
            "POST"
        ],
        "AllowedOrigins": [
            "https://yourdomain.com",
            "https://yourdomain.bubbleapps.io"
        ],
        "ExposeHeaders": [
            "ETag"
        ],
        "MaxAgeSeconds": 30000
    }
]

You can find more Bucket Policy examples here. Feel free to try out other rules in order to improve your bucket security.

If you like our plugin, could you please rate it by going to the Plugins tab in Bubble editor? You can find the plugin by name and give it as many stars as it deserves :slightly_smiling_face:
The more feedback we get, the more motivated we to build great plugins :tada:

Best regards,