Securely manage and upload files with dynamic CORS configuration, powered by AWS services and adhering to the least privilege principle.
Ensure the AWS account you're using has the necessary permissions to access and manage the required services. This includes permissions for:
- S3
- Lambda
- API Gateway
- CloudFormation
- IAM
- Systems Manager (SSM)
- Elastic Container Registry (ECR)
- Simple Notification Service (SNS)
- Simple Queue Service (SQS)
- CloudFront
To configure the AWS account with the necessary permissions, use the AWS Management Console or AWS CLI to attach the appropriate policies to your user or role.
It is recommended to create a custom policy with the least privilege principle.
You can use AWS-managed policies such as AdministratorAccess for full permissions to start, and debug permssion related issues.
With the correct setup, you'll have your full stack serverless app up and running in minutes!
There are two ways to deploy this application:
-
Deploy Using GitHub Actions: This method requires no prerequisite installations other than a GitHub account. It handles deployment automatically through GitHub Actions.
-
Run Locally: Requires certain prerequisites to be installed locally.
-
Fork the Repository: Fork this repository to your GitHub account.
-
Add Secrets: Add the required parameters to the secrets in your GitHub repository settings. Navigate to
Settings > Secrets > Actionsand add the following secrets:AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_REGION
-
Push Changes: Push any changes to your forked repository. This will trigger the GitHub Actions workflow to deploy your application.
- Node.js (v20 or later)
- AWS CLI
- AWS CDK (v2)
- GitHub account
-
Clone the Repository:
git clone https://github.com/your-username/AWS-S3-Secure-File-Manager-Starter.git cd AWS-S3-Secure-File-Manager-Starter -
Run deploy.sh in bash
./deploy.sh
- Automatically configures CORS settings and access policies at runtime, ensuring secure and seamless operation.
- Uses presigned URLs for both uploads and downloads, ensuring that access to the private S3 bucket is tightly controlled. The bucket is not publicly accessible, and file operations are only permitted through these secure presigned URLs, adhering to the principle of least privilege.
- Directly manages file operations through S3, bypassing Lambda to enhance performance and scalability while reducing costs.
- Seamlessly integrate into other applications by updating the frontend URL, with automated network configurations handled by the app.
-
Generating Presigned URLs:
- Your backend generates presigned URLs using AWS SDKs. These URLs are temporary and scoped to specific S3 operations, akin to giving out temporary access passes.
-
Client-Side Upload:
- The React frontend receives the presigned URL and uses it to upload files directly to S3 via HTTP PUT or POST requests.
-
Security and Validation:
- AWS validates the presigned URL parameters, ensuring that only authorized uploads are accepted, like checking IDs before entry.
Seamlessly incorporate into major platforms like:
- Content Management Systems (CMS): Perfect for handling media assets (e.g., WordPress).
- E-Commerce Platforms: Ideal for managing product images and customer reviews (e.g., Shopify).
- Social Media Platforms: Great for user-uploaded content such as photos and videos (e.g., Instagram).
This project is licensed under the MIT License - see the LICENSE file for details.