stackoom
  简体   繁体   中英

How secure are presigned URLs in AWS S3?

 原文  2013-06-19 07:38:56       security/ url/ amazon-s3

Question

I am planning to redirect users to presigned URLs of sensitive resources stored in S3. These get generated after checking the user's rights and have aggressive timeouts (30 secs). My worry however is whether it would be possible by some malware that is present on my client's machine to capture the url and still download the file within the expire time of the URL. Or Am I just being too paranoid?

If this has been answered before, please point me in that direction. Appreciate your help.

3 answers

solution1
 4  2013-06-21 03:33:06

Anyone who obtains the URL before expiry can use it to access the data. S3 supports bucket policies that limit the IP addresses that are allowed access to data:

http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html

However in this case you are worried about malware on the client machine. So that wouldn't help. Have you considered encrypting the data such that only the client process can decrypt it?

You're still vulnerable to an insecure/careless client leaking the data somehow.

solution2
 2 ACCPTED  2013-07-03 10:27:09

I found this - http://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempFederationTokenRuby.html and gave it a try. It seems to works. Paraphrasing the code from the doc - 

# Start a session with restricted permissions.
sts = AWS::STS.new()
policy = AWS::STS::Policy.new
policy.allow(
  :actions => ["s3:ListBucket"],
  :resources => "arn:aws:s3:::#{bucket_name}"
).condition.add(:like, :referer, "domain.com")

session = sts.new_federated_session(
  'User1',
  :policy => policy,
  :duration => 2*60*60)

So the policy that we create can have originating IP address from which the client downloads or/and may be the aws:Referer field set to my app's domain. I think this provides atleast one level of obstruction to your resource. I get that, the IP address or the referer can easily be spoofed. But its better than not having any protection at all.

solution3
 0  2018-11-22 10:02:20

In browser, the Web Cryptography API could be used to encrypt/decrypt the content, shared via a pre-signed S3 url, to ensure it remains private.

As of today, the API is in experimental stage, but supported by every modern browsers .

By using this API a private/public keypair can be generated in the browser. The private key should be stored in local storage and the public key should be sent to a lambda function. When we request the S3 content, we have to go to the lambda function first. The lambda function encrypts the content we want to share with the public key, stores it in S3 bucket and shares the encrypted object with a pre-signed URL.

By this method the content in the object remains private, even if somebody unpreveleged has the pre-signed URL.

No tried, but Amazon S3 service supports encryption with your own key .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Secure AWS S3 file urls What's the alternatives to keep my s3 buckets secure in AWS? Secure transfer of file to S3 using AWS PHP SDK Secure AWS s3 uploads to premium users only? Does AWS SDK for Java communicate in a secure channel with S3 servers? Does AWS SDK for .NET communicate in a secure channel with S3 servers? How to secure an Amazon S3 URL How to Properly Secure S3 with IAM and CORS? Exposing AWS S3 Signed URLs in Web App? Is is secure to transfer data between S3 and my data center using AWS S3 SDK?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM