Securely Upload Files to S3 for Guests Using AWS Cognito

For security reasons, if you allow guest users to upload files from your app, it's better to use Guest Access from AWS Cognito instead of a direct AWS Access Key from an IAM User.

Why?

• An IAM User access key is long-lived and never expires.

• With AWS Cognito, you can decide how long the temporary guest access key will be valid.

Requirements:

• AWS Cognito > Identity pool

• S3 Bucket

Step-by-steps:

1. Create Cognito Identity Pool

   1. Go to Amazon Cognito > Identity pools > Create identity pool

   2. Configure identity pool trust:

• Select: Guest access (this enables unauthenticated)

• Click Next

3. Configure permissions:

• Select: Create a new IAM role (Your AWS IAM account needs some permissions to do that)

  • iam:CreateRole (create role)

  • iam:PutRolePolicy (add inline policies)

  • iam:AttachRolePolicy (attach managed policies)

  • iam:DetachRolePolicy (detach managed policies)

  • iam:TagRole / iam:UntagRole (if you use tags)

• Role name: guest-uploader-role or anything you want

• Click Next

4. Configure properties:

• Identity pool name: guest-uploader-pool or anything you want

• Click Next

• Review and create > Click Create identity pool

2. Create S3 Bucket

   1. Go to S3 > Click on the button Create bucket

   2. Fill-out your bucket data (eg. bucket name as guest-bucket)

   3. Click Create Bucket

3. Add S3 Permission to the Role

   1. Go to IAM > Roles > search for guest-uploader-role (you created on the previous step)

   2. Click the role > Add permissions > Create inline policy

   3. Switch to JSON tab, paste:

       {
         "Version": "2012-10-17",
         "Statement": [{
           "Effect": "Allow",
           "Action": "s3:PutObject",
           "Resource": "arn:aws:s3:::guest-bucket/uploads/*"
         }]
       }
      

      • Note: Because I want to store all guest upload files in the /uploads folder, I put it in the source field.

   4. Click Next > Name it S3UploadPolicy > Create policy

4. Update CORS for S3 bucket to allow your frontend to put file:

   1. Go to S3 > Click on bucket guest-bucket or anything you created from previous step

   2. Go to Permissions tab > Scroll down to Cross-origin resource sharing (CORS) (bottom of page)

   3. Click on Edit, paste:

       [
           {
               "AllowedHeaders": [
                   "*"
               ],
               "AllowedMethods": [
                   "PUT"
               ],
               "AllowedOrigins": [
                   "[YOUR_FRONTEND_URL]",
               ],
               "ExposeHeaders": []
           }
       ]
      

      4. Click on Save Changes

Best Practices:

1. For security reasons, it is advisable to block all public access to the S3 bucket.

2. To optimize costs, consider setting a lifecycle policy for the bucket, such as deleting files after 6 months if they are not important.