All geek questions in one place

How secure are assigned URLs in AWS S3?

I plan to redirect users to the assigned URLs of sensitive resources stored in S3. They are generated after checking user rights and have aggressive timeouts (30 seconds). My concern, however, is whether it is possible for any malware that is present on my client machine to capture the URL and download the file for the duration of the URL. Or am I just too paranoid?

If an answer was given earlier, point me in that direction. Appreciate your help.

+6
source share
2 answers

I found this - http://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempFederationTokenRuby.html and tried it. It seems to work. Paraphrasing code from a document -

# Start a session with restricted permissions. sts = AWS::STS.new() policy = AWS::STS::Policy.new policy.allow( :actions => ["s3:ListBucket"], :resources => "arn:aws:s3:::#{bucket_name}" ).condition.add(:like, :referer, "domain.com") session = sts.new_federated_session( 'User1', :policy => policy, :duration => 2*60*60)

Thus, the policy we create may have an IP address from which the client downloads and / or may be the aws: Referer field set for my application domain. I think this provides at least one level of obstacles to your resource. I get this, the IP address or referent can be easily faked. But this is better than no defense at all.

+2
source

Anyone who receives the URL before the expiration date can use it to access the data. S3 supports bucket policies that restrict the IP addresses that are allowed to access data:

http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html

However, in this case, you are concerned about malware on the client machine. So that would not help. Did you think that data encryption is such that only the client process can decrypt it?

You are still vulnerable to an insecure / careless client that is somehow leaking data.

+4
source

Source: https://habr.com/ru/post/947626/

More articles:


All Articles