Child accounts in Amazon S3 (like Nirvanix) (sub-accounts, customer accounts)

We're moving from Nirvanix to Amazon S3.

What I need is to simulate Nirvanix style child accounts for S3 storage.

(In a nutshell these provide isolated storage with predefined limit, and a separate authentication for each sub-user, still managed by the same master account).

We'll have more than 100 users so the bucket-per user won't work (that's still limited at 100 right?).

The storage is used directly from a desktop application (and not, for example, via our servers, though there is a central server if that helps).

We want a single S3 billing account that pays for everything, but we want our customers objects safely segmented from each other.

Nirvanix provides this out of the box (http://developer.nirvanix.com/sitefiles/1000/API.html#_TocCreatingChildAccounts) - this is essentially what I'm trying to replicate with S3.

I understand how to segment objects for each sub-user, e.g. using the "prefix" notation of Objects (E.g. "USER1/object1", "USER2/something_else).

What I can't work out:

1) How can I set permissions so that each customer can only access his files?

If I give "the app" access to the S3 storage, then that obviously means that every user of the app could access anyones files.

It seems like you can set rich ACLs, but what I can't understand is "who" you can set permissions against. Is it only AWS users? Does that mean the only way to do this is to have my customers each have an AWS account?

If so, can I create accounts on their behalf? E.g. through an API call?

What we certainly cannot allow is having e开发者_开发问答very user create an account through the AWS website (yuck!).

2) Any ideas about the best way to manage quotas for each customer?

This concerns me because from what I can tell, we'd have to limit this from the desktop application. This is obviously ripe for abuse because S3 will just keep allowing more data.

I guess we could probably live with having a script we run daily which sanity checks the storage limits for "abuse", but just wondered if there was a better way.

Thanks all!

John

Amazon has a new beta service called AWS Identity and Access Management (IAM) that will allow you to segment your buckets.

In the using with S3 section of the documentation, there are examples describing your use case:

Example 1: Allow each User to have a home directory in Amazon S3

In this example, we create a policy that we'll attach to the User named Bob. The policy gives Bob access to the following home directory in Amazon S3: my_corporate_bucket/home/bob. Bob is allowed to access only the specific Amazon S3 actions shown in the policy, and only with the objects in his home directory.

{
   "Statement":[{
      "Effect":"Allow",
      "Action":["s3:PutObject","s3:GetObject","s3:GetObjectVersion",
      "s3:DeleteObject","s3:DeleteObjectVersion"],
      "Resource":"arn:aws:s3:::my_corporate_bucket/home/bob/*"
   }
   ]
}

Unfortunately I don't think you can currently enforce quotas using IAM.

Also, depending on your platform, you probably want to use one of the SDK's available to simplify your interactions with these services.

You absolutely don't want to distribute your standard secret key in a desktop application without taking some serious precautions. Any user with your secret key could have full access to all your AWS services.