java - Password protected image file

Question

I want to create or update a image file with password protection. Scenario is, our infra team will upload an image file to AWS S3. Later we want to protect this image file with password from java. Password will be auto generated and will not be disclosed with anyone. If any one trying to download the image directly from AWS S3, it should not open. I have tried Server-Side encryption in AWS S3

CopyObjectRequest request = new CopyObjectRequest(bucket, key, bucket, key);
ObjectMetadata objectMetadata = new ObjectMetadata();
objectMetadata.setServerSideEncryption(ObjectMetadata.AES_256_SERVER_SIDE_ENCRYPTION);
request.setNewObjectMetadata(objectMetadata);
s3client.copyObject(request)

But still i'm able to open it. Is there any other way to do it.

Answer 1

Server-Side Encryption merely encrypts the data stored on disk. It is not a method for protecting access to data.

Rather, it appears that your requirement is:

• Store some data (eg an image) on Amazon S3 and keep it private
• Selectively allow people to download it if they have been authorized

The most suitable solution would be to use an Amazon S3 Pre-Signed URL.

By default, all objects in Amazon S3 are private. You can then add permissions so that people can access your objects. This can be done via:

• Access Control List permissions on individual objects
• A Bucket Policy (that grants wide-ranging access based on path, IP address, referrer, etc)
• IAM Users and Groups (that grant permissions to Users with AWS credentials)
• Pre-Signed URLs

A Pre-Signed URL can be used to grant access to S3 objects as a way of "overriding" access controls. A normally private object can be accessed via a URL by appending an expiry time and signature. This is a great way to serve private content without requiring a web server.

It would be the responsibility of your application to appropriately authenticate users to determine whether they are allowed access to objects in S3. If they are granted access, then your application should generate a pre-signed URL as an authenticated link to the objects. The URL will only be valid for a limited time duration.

This is best done by having a back-end app (probably running on Amazon EC2 or AWS Lambda) perform the authentication and then generate the URL. Your authenticated user can then use the pre-signed URL to download the object during the allocated time period (eg 5 minutes).

This method has several benefits over the use of a password:

• It properly authenticates the user (through your code) rather than merely trusting anyone who knows the password
• It allows you to log access, so you know who is accessing the object
• Your back-end app could generate an HTML page willed with many pre-signed URLs and your users could simply click the links to access the objects, rather than having to provide a password for every object they wish to download