Serving content from S3 securely

I'm writing a web application in go and I'm using amazon s3 to store all the user files, this include the profile pics and text and audio files.

However I'm struggling to understand what will be the correct way to do this securely. What I was thinking is after making sure the request comes from an authenticated user with access to the requested file, just use the aws go library to fetch the file and write it to the http request.

Something like this:

import (
	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
    "github.com/aws/aws-sdk-go/service/s3"
    "io"
)

func serveFile(file string, w http.ResponseWriter) {
    svc := s3.New(session.New(), aws.NewConfig().WithRegion(config.AWS.Region))
    
    params := &s3.GetObjectInput{
	Bucket: aws.String("Bucket name"),
	Key:    aws.String(file),
    }

    resp, err := svc.GetObject(params)
    n, err := io.Copy(w, resp.Body)

}

I don't have much experience working with AWS so I'm not sure this is even a good approach, but it works. Is this a good way to do it, for a production server? Is there a better, more reliable way?

This method can work. But it relies on requests being proxied through your client.

The recommend way is to use signed urls. This creates a url that is valid for a time period that you specify that allows the end user to download a file directly from S3.

Your key is not exposed as the url contains just a signature.

This is a good solution for following reasons:

• The fact that you are using S3 is transparent to the client. In other words, the client doesn't need to or should know that you are using S3 in backend, unless there is a good reason for this.

• Tomorrow if you want to move your data from S3 to some other data store, you only need to change your server code. The client doesn't need to update.

• AWS credentials aren't exposed to client, hence more security.