I would like your help to figure out the following:
I have an app with many users, these users are able to upload (sensitive) files (stored in S3). Per file, the user sets sharing permission who can read the file (similar to Dropbox). I am figuring out the best security practice. Only the users who are allowed to view a file should be able to download these files - if a user shares a download link it should obviously not work.
My initial thought was to use S3’s authentication framework, but it would require to create an Amazon user for every user on my app and store their keys. That doesn’t seem right. So, I intend to have one Amazon user (and one bucket?) who authenticates all file uploads from the app. Then in the database, I will keep track which users are allowed to access the files. By using temporary signed links I will create download links when a user wants to download a file. This basically shifts the whole security to my app, not sure if that is proper.
What are your thoughts on this?