5. User story 1
As a guest or blocked-user, I can't do anything with file.
As a user, I can download file from S3.
As a user, I can upload file to S3.
6. User story 2
As a Group-user, I can download file in my group.
As a Group-user, I can upload file in my group.
7. User story 3
As a Group Admin, I can assign download permission to
user who is in my group.
As a Group Admin, I can take back the download
permission from user who is in my group.
8. User story 4
As a Group Admin, I can assign download permission to
user who is in my group.
As a Group Admin, I can take back the download
permission from user who is in my group.
9. User story 5
As a Group Admin, I can assign upload permission to
user who is in my group.
As a Group Admin, I can take back upload permission
form user who is in my group.
10. User story 6
As a user in Chat-room, I can upload file to others in
same chatroom.
As a user in Chat-room, I can download file from others
in same chatroom.
11. Limitation
Groups per AWS account: 100
Users per AWS account: 5000
Number of groups per user: 10
Roles per AWS account: 250
12. Solution
Classifying the user and group
When download or Upload…
Use IAM (Identify and Access Management)
Use Query String Authentication
13. Classifier
● Guest / Blocked User
● Normal User
● Group assigned Download user
● Group assigned Upload user
● Group Administrator
● Chat-room User
14. Query String Authentication
1. Create a query.
2. Specify an expiration time for the query.
3. Sign it with your signature.
4. Distribute the request to a user or embed the request in
a web page.
15. IAM (Identity and Access Management)
● Identity
AWS User
AWS Group
● Access Management
Get, Put, Delete, List
Version, Policy, Payment