secure-file-storage

Proof of concept application to perform secure file uploads and storage to an S3-compatible store while enforcing BC Services Card authentication.

User Interface

Sequence/Flow Diagram

Running the App

docker-compose up

Containers:

name	description	url
localstack/s3	localstack S3 service	http://localhost:4566
secure-file-storage-api	s3 api gateway	http://localhost:8056/store

Initial Setup

Install the AWS CLI.

Run:

aws configure

AWS Access Key ID [None]: 123
AWS Secret Access Key [None]: xyz
Default region name [None]:
Default output format [None]:

Create a bucket using the gateway:

aws --endpoint-url=http://localhost:8056/store s3 mb s3://demo-bucket

Attach an ACL to the bucket so it is readable:

aws --endpoint-url=http://localhost:8056/store s3api put-bucket-acl --bucket demo-bucket --acl public-read

Go to http://localhost:8055 to check that the bucket has been created.

Testing the App (Postman)

1. Upload a new file using postman collection

2. Select Upload a file request, go to body and click Select File

3. Once you have uploaded your file, you should get a 200 OK response

4. Select Get image request and execute

5. You should see your image in postman

AWS S3 Encryption

An important part of this project is to ensure that we can not only upload files to S3, but do so in a secure fashion. For this, we require our uploaded files to be encrypted. AWS S3 provides default encryption on buckets to satisfy this requirement.

Amazon S3 default encryption provides a way to set the default encryption behavior for an S3 bucket. You can set default encryption on a bucket so that all new objects are encrypted when they are stored in the bucket. When you use server-side encryption, Amazon S3 encrypts an object before saving it to disk and decrypts it when you download the objects.

Resources

• How to fake AWS locally with LocalStack

• Testing file uploads to AWS S3 with IAM user credentials in Postman

• Filepond documentation

• AWS S3 Encryption