Proper s3 permissions for users uploading image files with carrierwave

5
votes

At the end of Chapter 11 of The Rails Tutorial by Michael Hartl I successfully managed to enable user uploads to Amazons S3 service by creating a bucket, using IAM to set a user and granting the user an AmazonS3FullAccess policy. It feels dirty and very insecure to allow an unknown user on my website to have full access to a bucket for image upload on my website and I'm not sure if I should feel this way. I created a custom policy at

Which is the following:

   {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Stmt1445501067518",
          "Action": [
            "s3:GetObject",
            "s3:PutObject"
          ],
          "Effect": "Allow",
          "Resource": "arn:aws:s3:::bucketname"
        }
      ]
   }

I am not confident in my solution and could not find any answers googling for the best way to go about this. I am using carrierwave (with intentions of using carrierwave_direct for my own project), fog, and mini_magick gems.

1
ruby-on-railsamazon-web-servicesamazon-s3railstutorial.orgamazon-iam

1 Answers

4
votes

The best and probably the most secure way of allowing users to upload files to your site (ie. S3) is to use Browser-Based Post Uploads.

This lets users upload directly to S3 without having to go through your servers. On your servers you simply create a request signature using your access keys.

You can read more about it here: Browser Based Uploads Using Post

I'm not familiar with carrierwave myself but you may find this useful: Uploading directly to S3 in rails