Amazon Bucket Policy for only mobile app access


I have a bucket in Amazon S3 and I set data inside read only for everyone. However, this is not what I want. I would like that data to be accessible only from my mobile application and restrict it to download by url.

Is that possible? if so how to implement such bucket policy?


Traditionally, access to a mobile app is done this way:

  • The mobile app user authenticates to your back-end (through your mobile app). This could be done with Amazon Cognito or with your own database of username/password.
  • Your application examines their identity and determines what data they are permitted to access. It then uses the AWS Security Token Service (STS) to generate time-limited credentials that have limited permissions (eg access to a particular directory within an S3 bucket). The back-end app sends these credentials to the mobile app.
  • The mobile app can then use the credentials to make API calls to AWS (without having to go through your back-end server).

If you wish any user on your mobile app to access the S3 bucket, then the user doesn’t need to authenticate in the first step — it would just be your mobile app requested some temporary credentials.

None of the above requires a Bucket Policy. The permissions would be granted against the STS credentials, not he bucket.

Leave a Reply