Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS S3 The security of a signed URL as a hyperlink

Tags:

security

hyperlink

download

amazon-s3

Is this safe? Maintaining security using a pre-signed url with AWS S3 Bucket object?

<a href="https://mywebsite.s3.amazonaws.com/40.pdf?AWSAccessKeyId=[my access key]&Expires=1433297453&Signature=[this random set of numbers]">my link</a>

Another words - part 1...

say I'm storing a bunch of separate individual's files in a bucket. I want to provide a link to a file for a user. Obviously, each file is uniquely but consecutively named, I don't want people to be able to change the link from 40.pdf to 30.pdf and get a different file. This URL seems to do that.

part 2, and more importantly....

Is this safe or is a it dangerous method of displaying a URL in terms of the security of my bucket? Clearly, i will be giving away my "access key" here, but of course, not my "secret".

Already answered 3 years ago... sorry. How secure are Amazon AWS Access keys?

like image 734
Skinner Avatar asked Jun 03 '15 02:06

Skinner

People also ask

Are S3 signed URLs secure?

The algorithm is secure. The benefit of the change is that version 4 provides better compartmentalization inside AWS by calculating a signing key from the Secret Access Key for each day, region, and service.

How do S3 signed URLs work?

S3 pre-signed URLs are a form of an S3 URL that temporarily grants restricted access to a single S3 object to perform a single operation — either PUT or GET — for a predefined time limit. To break it down: It is secure — the URL is signed using an AWS access key.

What is a signed URL in AWS?

The signed URL allows the user to download or stream the content. This step is automatic; the user usually doesn't have to do anything additional to access the content. For example, if a user is accessing your content in a web browser, your application returns the signed URL to the browser.

How do I use AWS signed URL?

To generate a presigned URL using the AWS Management ConsoleIn the Buckets list, choose the name of the bucket that contains the object that you want a presigned URL for. In the Objects list, select the object that you want to create a presigned URL for. On the Actions menu, choose Share with a presigned URL.

Video Answer

1 Answers

AWS Security Credentials are used when making API calls to AWS. They consist of two components:

  • Access Key (eg AKIAISEMTXNOG4ABPC6Q): This is similar to a username. It is okay for people to see it.
  • Secret Key: This is a long string of random characters that is a shared secret between you and AWS. When making API calls, the SDK uses the shared secret to 'sign' your API calls. This is a one-way hash, so people cannot reverse-engineer your secret key. The secret key should be kept private.

A Signed URL is a method of granting time-limited access to an S3 object. The URL contains the Access Key and a Signature, which is a one-way hash calculated from the object, expiry time and the Secret Key.

A Signed URL is safe because:

  • It is valid for only a limited time period that you specify
  • It is valid only for the Amazon S3 object that you specify
  • It cannot be used to retrieve a different object nor can the time period be modified (because it would invalidate the signature)

However, anyone can use the URL during the valid time period. So, if somebody Tweets the URL, many people could potentially access the object until the expiry time. This potential security threat should be weighed against the benefit of serving traffic directly from Amazon S3 rather than having to run your own web servers.

like image 134
John Rotenstein Avatar answered Nov 02 '22 01:11

John Rotenstein
Sign in to Comment

Related questions

Delphi applications considered 'dangerous' by Google Chrome
Web API OAuth Bearer Token security
Secure session cookies in ASP.NET over HTTPS
Validate that a file is a picture in PHP
When linking to an external .js file, isn't this a security risk?
Jetty webserver security
How to get a process file name from pid, if OpenProcess() fails with ACCESS_DENIED?
Git: Is it possible to fake the signing date of a tag?
Is it 'safe' to permanently trust the Fiddler root certificate?
Can HTTPS connections be hijacked with a man-in-the-middle attack?
Are there any free implementations of strcpy_s and/or TR24731-1?
Should I release an app to the App Store with print statements in it?
PHP GET variable array injection
SQL Injection attack - What does this do?
what is an alternative to password_hash() for (PHP 5 < 5.5.0)?
How to get ssl on a kubernetes application?
Can anybody explain OAuth?
SecureString for storing in memory and presenting passwords? Or something else?
Does HTTPS protect against CSRF attacks?
Secure Flag for ASPXAUTH Cookie

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!