Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How secure are Amazon AWS Access keys?

I want to offer presigned urls to my s3 buckets with an expiry date. The .net sdk nicely generates these urls, but looking at them makes me worry a little:

https://s3.amazonaws.com/upload_youtipit/myfile?AWSAccessKeyId=**MYACCESSKEY**&Expires=1317924047&response-content-disposition=attachment;filename=feedback.jpg&response-content-type=image/jpeg&Signature=podKJSrNeFel6%2B0aOneb342H5GA%3D 

Why does it need to put my (public) AWSAccessKey in the Url? Shouldn't this be kept a bit more confidential? I know its not the secret, but I still don't feel comfortable exposing it in public..

How likely is it that, somebody who has my public key, can guess/bruteforce my private key?

like image 455
AyKarsi Avatar asked Oct 06 '11 18:10

AyKarsi


People also ask

Is it safe to share AWS access key?

For example, if you save access keys (credentials) of a root account inside code, anyone who uses this code can totally damage your AWS account. Many stories have been published about security breaches due to access key exposure, especially combined with open source version control systems such as GitHub and GitLab.

Are AWS access keys secret?

You can see the AWS secret access key only once immediately after creating. So, in order to get a secret key, you will need to create a new one. 4 To generate new access keys, click the Create New Access Key button. 5 Click Show Access Key to have it displayed on the screen.

Is it safer to use access keys than it is to use IAM roles?

IAM Roles can be assigned to Amazon EC2 instances. This will then provide a temporary Access Key and Secret Key to an instance (see Retrieving Security Credentials from Instance Metadata). So, roles are just a secure way of providing an Access Key, but the Access Key is still used.


2 Answers

The Access Key ID is not a secret and does not need protecting.

In fact, you can give expiring URLs to random strangers if you want them to access an S3 object. They can see the access key in that URL, but can't do anything with it that you have not authorized.

reference: http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#AccessKeys

like image 52
Eric Hammond Avatar answered Oct 11 '22 13:10

Eric Hammond


I kind of agree with the accepted answer, but there is an easy way to do what you want.

You need to use Amazon IAM to create a user that can only read files (it does not really matter, but they at least need read only to the bucket that you are dealing with). Then use THAT users AWS ID and secret to generate a download link.

This does not open up your whole bucket, as to see the whole bucket the person needs the AWSID of this IAM 'reader' user, plus their secret key. You still need to construct time limited URLs.

You can use the IAM console to create a user like that in a few mins. You only get one chance to get the secret key - at the time you make the user (or if you rotate his keys).

That should do it. This AWSID has no access to anything, and is not linked to you.

In general Amazon now recommends that your primary AWSID is not used 'for anything'. You create users with permissions in IAM, then use those codes. This allows for a lot of security flexibility. You can turn off your read only user with a simple action in the IAM console.

like image 35
Tom Andersen Avatar answered Oct 11 '22 13:10

Tom Andersen