All geek questions in one place

Can I use the image link in my AWS S3 bucket on my webpage?

I have an image in my AWS S3 carpet. Can I include this image on my site by placing the AWS URL in the <img> ? The URL includes options like Amz-Signature, Amz-Credential, and amz-security-token. Can they be maliciously used to access other files in my S3 bucket?

Here is an example URL:

 https://s3.amazonaws.com/MyBucketName/FileName.jpg?X-Amz-Date=20160126T141139Z&X-Amz-Expires=300&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Signature=Lots_of_letters_and_Numbers2&X-Amz-Credential=MYAMAZON_CREDENTIALS/20160126/us-east-1/s3/aws4_request&X-Amz-SignedHeaders=Host&x-amz-security-token=REALLY_LONG_SECURITYTOKEN

Alternatively, I can create an expiration URL from my C # code using the AWS SDK. Sort of:

 var expiryUrlRequest = new GetPreSignedUrlRequest { BucketName = WebConfigurationManager.AppSettings["AWSBucketName"], Key = fileName, Expires = DateTime.Now.AddHours(3) };

This gives a URL with the AWSAccessKeyId parameter.

Are these URLs safe to use on my webpage? What risks may be associated with their use on my website?

Thanks so much for your time. Please let me know if you need more information or I do not know.

EDIT. To give some idea of ​​my application, users upload the file to the S3 bucket. I use SignalR to confirm that the image is in a bucket, showing the S3 image on my web page for viewing by the user.

+5
source share
2 answers

Do not create a bucket. If so, then potentially user1 could see the downloaded files user2.

You can allow users to retrieve individual files for a specific period of time using pre-signed URLs.

  • Mark S3 bucket as private.
  • Use GetPreSignedUrlRequest to create a pre-signed URL for the file you want to download.
  • Use this URL in the <img> .

Using this method is safe:

  • The user can only upload the file for the period of time that you allow before the expiration date (which you set as part of the GetPreSignedUrlRequest call)
  • The credentials that you see in the URL may be the same as those used to create the URL. But they are safe to display the user.
  • The user cannot load other files from the bucket.

The URL uses a hashing method to ensure that the URL cannot be changed and cannot be used to retrieve other files.

If displaying the passkey identifier is a problem, you can (a) create an IAM user specifically for downloading files from S3 or (b) use the IAM role on your EC2 instance to generate a pre-assigned URL.

Literature:

+5
source

First of all, there are two ways to restrict access to the contents of the bucket:

If you want other users to access the image (for example, by specifying the URL of your site), you must mark it as public.

DO NOT send the URL with your AWS credentials anywhere !!!

0
source

Source: https://habr.com/ru/post/1241505/

More articles:


All Articles