0

Currently we have a site setup in an s3 bucket. This site makes use of a web.config file.

However we can navigate to the file via the url: for example, www.mysite.com/web.config will serve the file.

Is there a simple way to avoid the web.config to be served via this method? On IIS this is automatically secure as well as in apache (for .htaccess files)

Malky.Kid
  • 105
  • 5
  • 2
    Why are you putting the `web.config` file in the bucket in the first place? It won't do anything on S3. – ceejayoz Aug 19 '19 at 21:45
  • In any case, would there be a way to hide/secure this file? Assume it's not a web.config file and a different file instead – Malky.Kid Aug 19 '19 at 21:48
  • 1
    Sure, you can edit the file's permissions individually, or set overall IAM rules. You'll see various options to do this in the S3 console. https://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-object-permissions.html – ceejayoz Aug 19 '19 at 21:49

2 Answers2

2

If your site actually needs a web.config file, then your site isn't suitable for hosting on S3.

You can host a static website on Amazon Simple Storage Service (Amazon S3). On a static website, individual webpages include static content. They might also contain client-side scripts. By contrast, a dynamic website relies on server-side processing, including server-side scripts such as PHP, JSP, or ASP.NET. Amazon S3 does not support server-side scripting.

https://docs.aws.amazon.com/AmazonS3/latest/dev/WebsiteHosting.html

If, on the other hand, your site doesn't actually need the web.config file, then the file should not be uploaded to a public S3 bucket.

It is possible to deny access to files by name patterns using the bucket policy, or by not setting public-read for the object itself (assuming the bucket policy doesn't make this setting redundant)... but this solves the wrong problem.

Michael - sqlbot
  • 22,658
  • 2
  • 63
  • 86
0

@Malky.Kid, could you share what approach you took for removing the file and from where did you configure the variables present in that file. I am also facing a similar scenario.

Sugandha Mishra
  • 1
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/537495) – Dave M Dec 17 '22 at 16:03