What is the MOST secure way to give the application the ability to write files to the S3 bucket?
Update the S3 bucket policy to allow public write access. Allow any user to upload videos by removing the need to handle user authentication within the client- side application.
Create a new IAM policy and a corresponding IAM user with permissions to write to the S3 bucket. Store the key and the secret for the user in the application code. Use the key to authenticate the video uploads.
Configure the API layer of the application to have a new endpoint that creates signed URLs that allow an object to be put into the S3 bucket. Generate a presigned URL through this API call in the client application. Upload the video by using the signed URL.
Generate a new IAM key and a corresponding secret by using the AWS account root user credentials. Store the key and the secret for the user in the application code. Use the key to authenticate the video uploads.
Explanations:
Allowing public write access to an S3 bucket exposes it to abuse and potential data loss. This option compromises security by removing authentication and authorization controls, making it open to any user to upload malicious or unwanted content.
While creating an IAM user with permissions to write to the S3 bucket may seem secure, storing the IAM user’s access key and secret in the application code poses a significant risk. If the application code is exposed, the credentials can be compromised, leading to unauthorized access to the S3 bucket.
Configuring an API to generate signed URLs provides a secure way for users to upload videos. The signed URL is time-limited and allows access only to the specific S3 bucket and object, which minimizes risk. This method leverages temporary credentials, avoiding the need to expose permanent credentials in the application.
Generating an IAM key and secret using the AWS root user credentials is highly insecure. The root user has unrestricted access to all resources, and storing these credentials in the application code poses a significant risk. If the application is compromised, an attacker would have full control over the AWS account.
I value that the answer is:
Configure the API layer of the application to have a new endpoint that creates signed URLs that allow an object to be put into the S3 bucket. Generate a presigned URL through this API call in the client application. Upload the video by using the signed URL.