I know how to enforce SSL on S3 via bucket policies.
But even with this bucket policy, a presigned S3 object URL can be accessed both using HTTP and HTTPS.
Is there a way to enforce SSL on presigned URL? Either using a bucket policy or using a specific option during presign.
By using X-Amz-SignedHeaders . By specifying the Content-MD5 header while generating the presigned URL, your service can enforce the presigned URL to be valid only if the specified value for this header is the same from the one specified, and the one received by the user while uploading a file.
Pre-signed URLs are used to provide short-term access to a private object in your S3 bucket. They work by appending an AWS Access Key, expiration time, and Sigv4 signature as query parameters to the S3 object. There are two common use cases when you may want to use them: Simple, occasional sharing of private files.
Modify the policy that grants access to the principal that's signing the URL, adding this condition key test.
"Condition": {
"Bool": {
"aws:SecureTransport": "true"
}
}
If requests are made with those signed URLs using HTTP, they'll be denied. This change will be retroactive, impacting even signed URLs you already generated, because it's evaluated when the URL is actually used.
Alternately, create a bucket policy to deny all access to the bucket when the condition is false.
https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With