Server-Side Encryption merely encrypts the data stored on disk. It is not a method for protecting access to data.
Rather, it appears that your requirement is:
- Store some data (eg an image) on Amazon S3 and keep it private
- Selectively allow people to download it if they have been authorized
The most suitable solution would be to use an Amazon S3 Pre-Signed URL.
By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:
- Access Control List permissions on individual objects
- A Bucket Policy (that grants wide-ranging access based on path, IP address, referrer, etc)
- IAM Users and Groups (that grant permissions to Users with AWS credentials)
- Pre-Signed URLs
A Pre-Signed URL can be used to grant access to S3 objects as a way of "overriding" access controls. A normally private object can be accessed via a URL by appending an expiry time and signature. This is a great way to serve private content without requiring a web server.
It would be the responsibility of your application to appropriately authenticate users to determine whether they are allowed access to objects in S3. If they are granted access, then your application should generate a pre-signed URL as an authenticated link to the objects. The URL will only be valid for a limited time duration.
This is best done by having a back-end app (probably running on Amazon EC2 or AWS Lambda) perform the authentication and then generate the URL. Your authenticated user can then use the pre-signed URL to download the object during the allocated time period (eg 5 minutes).
This method has several benefits over the use of a password:
- It properly authenticates the user (through your code) rather than merely trusting anyone who knows the password
- It allows you to log access, so you know who is accessing the object
- Your back-end app could generate an HTML page willed with many pre-signed URLs and your users could simply click the links to access the objects, rather than having to provide a password for every object they wish to download
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…