Skip to content

S3 authenticated access

Jump to bottom Edit New page
Wang Wei edited this page Apr 5, 2016 · 3 revisions

Authentication & Authorization AWS IAM is used to secure your AWS account and controls who (or what applications) can call AWS services to manage your AWS infrastructure. You can think of IAM as providing the keys to your datacenter. The only people who should have access to your datacenter are those who need to control or operate the AWS in your virtual data center. As your end-users are interested in using your application, not controlling your virtual data center, they do not need their own IAM accounts.

As you’ve discovered, it is possible to federate access to IAM so that you can use your own directory. The IAM Federation feature is intended to be used to allow users to access AWS resources, as discussed in the previous paragraph, not to provide authentication and authorization for hosted applications.

In the next section, we’ll discuss how the user can access files in S3 (which are secured by IAM).

Application Your applications security should control who can access your application (authentication) and what they can do once they have access (authorization). If an application user requires access to an AWS resource, such as a video stored in S3, then they can be given a temporary key to access only the requested file and only for a certain period of time. Your application will determine what files (and how long) the user can access and then ask IAM for a temporary key to access the file. This will all be done by your application, so the user will have no direct interaction with AWS services.

The mechanism for granting temporary access is called generating a signed URL. Your web server ec2 instance should be launched with with an IAM role that has read access to the buckets. The application will then call the API that generates a signed URL which will grant read access to the desired file. For more information about how to use the API, please see this link.

Access Control Lists for Node You may find this Node.js library useful as you create the security layer within your application. The library provides methods to manage users, roles, and permissions. It is backed by MongoDB, which is your stated NoSQL database of choice.

Video/Audio Storage & Retrieval Video/Audio File Storage Video’s (or any other file) should be stored in S3. After your web application uploads these files to s3, it can trigger subsequent processing. An alternative that you may want to consider is allowing S3 to automatically write messages to SQS (our queueing technology). Applications can subscribe to the queue to asynchronously complete processes using the data uploaded to S3. An advantage of using this method is that your users won’t have to wait for the downstream processes to complete and your application will scale better as it takes advantage of asynchronous processing.

Regardless of how you trigger subsequent processing on the files uploaded to S3, here are a few recommendations that you may wish to consider: You may want to consider transcoding your video files to other formats using the Amazon Elastic Transcoder Service Sending metadata to Amazon CloudSearch which a managed service that will allow you to index and search the metadata that you collect as you upload and annotate video, audio, or any other files that are to be stored for your application Using Amazon SES (Simple Email Service) to notify collaborators that files have been uploaded

Search & Retrieval As your users annotate the files stored in S3, the metadata that they create should be stored in a database such as MongoDB, DynamoDB or RDS and then uploaded to CloudSearch for indexing. Your application can then use CloudSearch (or the data maintained in MongoDB, DynamoDB or RDS) to search the metadata and return the key to the file stored in S3. Once the key is identified, then a signed URL can be created to allow the file to be retrieved from S3.

Simplified Hosting of Node.js AWS Elastic Beanstalk is a service for deploying and scaling web applications and services developed in several languages, including Node.js. To use this service, you upload your code and Elastic Beanstalk handles the deployment, from capacity planning, load balancing, auto-scaling to application health monitoring. At the same time, you have full control over the AWS resources and can access the underlying resources at any time.

There is no additional cost for using this service. You only pay for the AWS resources required to host and run your application.

Machine Learning Solutions For Video Analysis I’m in the process of gathering this information, and I don’t want you to wait any longer for the information above, so I’ll have to get back to you soon.

Add a custom footer
Add a custom sidebar

Clone this wiki locally