To all those SaaS engineers/developers out there ...
I am building a SaaS product which will store customer data on S3. I wonder what is the best approach regarding security?
Also, to provide access to the material via the SaaS app. I plan to have each object 'readable name' replaced with a guid so that it cannot be easily guessed and use pre-signed urls with a time limit to see and download them. Is that a best practice? What time limit is considered safe and user-friendly?
Thanks
You should never generate AWS IAM Users for "end-users" of your application (option 2). IAM grants permission to call AWS APIs and the end-users of your application should never need to call an API.
Information stored in Amazon S3 should be available to your SaaS application via standard methods:
If you wish to serve content from Amazon S3 directly to users of the application, generate Amazon S3 pre-signed URLs, that provide time-limited access to objects stored in S3 buckets. A 15-minute expiry duration could be a good trade-off between security and users who pause to take a phone call, but that timing is up to you.
Your S3 bucket should not have a bucket policy because all access will be via permissions granted to the IAM Role, or via pre-signed URLs.
The use of randomized GUIDs as filenames is irrelevant because you will have proper security rather than obfuscation.