Amazon S3 is a great way to store and distribute files. In particular large media files that could suck your web hosting bandwidth quickly if you uploaded to your own web site. And S3 is very, very affordable.
A question that comes up regularly is when people start storing files exclusively for members on Amazon S3.
You see, in order for others to download a file you uploaded to Amazon S3, you have to make the file accessible to everyone. And everyone means – everyone on the Internet.
In a membership site setting, that may not be what you want. The good part is, Amazon S3 already has a way to allow authenticated downloads. I won’t get too technical here but it basically involves making sure the URL people are clicking through from includes a special ‘key’. This takes a little bit of coding but if you are using WordPress, there’s a wonderful little (and free) plugin that does the job beautifully.
It is the Amazon S3 Expiring URL Generator.
Using the, you can set a certain time the URL’s will be ‘active’ and it will expire after that. Keep in mind this has nothing to do with membership expiry and it doesn’t matter anyway once you understand how it works.
After the plugin is installed, you simply need to use a shortcode to create a link to the download. This link or URL includes the required key string like this:
How your files remain private:
- If you someone tries to remove the crazy key strings following the file they will receive a nasty error from Amazon.
- If they try to copy and share that URL, it won’t work for long. Depending how long you set it to last. We don’t normally put it past a few minutes.
- If a member wants to download again, all they need to do is refresh the page and a new URL will be generated. So… how can that be secure? Because the way people get to the page is if they had a login to your membership site 🙂 now if they share the login – that I can’t help you. This however will work well for the average user and site.
Just don’t forget to remove permission for everyone to download the file. If not, it completely defeats the purpose of expiring URLs.
