2

We are storing files uploaded by users of our app to Amazon S3.

In order to keep these files private & secure, we are:

  1. having the client generate a UUID for the filename (so that the URL of the file is difficult to guess). See: What is the probability of guessing (matching) a Guid?

  2. going to protect the data by using client-side encryption.

Do these two measures provide sufficient security, or should we also use Amazon Cognito to ensure that the user getting the object is one of the users who has access to it?

Community
  • 1
  • 1
ma11hew28
  • 121,420
  • 116
  • 450
  • 651
  • How are they accessing the files? For instance, are they making direct api calls to S3 to download the files? – Preston Martin Apr 17 '17 at 19:43
  • 1
    The users access the files through the client's user interface, and the client makes the API calls to S3. – ma11hew28 Apr 17 '17 at 19:46
  • How do you grant permissions? Can any client access any folder in the bucket? Is the bucket open to "Everyone"? – Preston Martin Apr 17 '17 at 19:51
  • 1
    Yes, the bucket is open to everyone, but the only allowed actions are `s3:GetObject` & `s3:PutObject`. – ma11hew28 Apr 17 '17 at 19:55
  • 1
    if bucket has putobject permission, is it possible to corrupt other users files? – Iłya Bursov Apr 17 '17 at 20:07
  • Yes, it's possible to overwrite any file, if you specify its URL. – ma11hew28 Apr 17 '17 at 20:13
  • @mattdipasquale so, we can loop over all possible uuids and upload empty file (via botnet of course)? – Iłya Bursov Apr 17 '17 at 20:26
  • @Lashane I think so, although I don't know if Amazon S3 protects against something like that, since it sounds similar to a DoS attack, and I imagine they protect against that. – ma11hew28 Apr 17 '17 at 20:31
  • @Lashane do you think that would be viable? With the birthday paradox, in order to generate a 50% chance of one collision 2.71 quintillion uuids would need to be generated. – Preston Martin Apr 17 '17 at 20:32
  • @mattdipasquale so, are users aware that their files can be corrupted by 3rd party? – Iłya Bursov Apr 17 '17 at 20:33
  • @PrestonM will you use this app with such security hole? – Iłya Bursov Apr 17 '17 at 20:35
  • @Lashane well, we haven't released this yet, but I guess we could add something to the privacy policy if we only took measures 1 & 2. – ma11hew28 Apr 17 '17 at 20:35
  • @mattdipasquale ok, 2nd question - what credentials are used to connect to s3? are they stored in application itself? what if you need to change them immediately? – Iłya Bursov Apr 17 '17 at 20:37
  • @Lashane well, we could use [Amazon S3 Versioning to prevent users from overwriting the original file that was uploaded](https://forums.aws.amazon.com/message.jspa?messageID=332871). – ma11hew28 Apr 17 '17 at 20:40
  • 1
    @mattdipasquale you cannot use versioning to _prevent_ overwriting – Iłya Bursov Apr 17 '17 at 20:42
  • @Lashane no credentials are needed. Everyone can make `getObject` & `putObject` API calls to the S3 bucket. – ma11hew28 Apr 17 '17 at 20:42
  • 1
    @mattdipasquale awesome! I need to save my video archive somewhere, will you continue to pay for this bucket? – Iłya Bursov Apr 17 '17 at 20:42
  • @Lashane I think we could set a max size per file. Also, we could run a cron job every so often that checks for dangling files (those not referenced by the database) and delete them. – ma11hew28 Apr 17 '17 at 20:48
  • @mattdipasquale you're missing my point - model you've described is very fragile, you should re-architect your app, don't try to fix thing which is broken from the very beginning – Iłya Bursov Apr 17 '17 at 20:49
  • Amazon S3 versioning will keep the original version of the file, and the client could always show that one and ignore any newer versions. – ma11hew28 Apr 17 '17 at 20:50

1 Answers1

1

Using obscure filenames is not a good security method.

If you wish to allow users to upload/download data to/from Amazon S3 in a secure manner, you should use Pre-Signed URLs.

The process is:

  • Users authenticate to your web/mobile application
  • Users interact with your application and indicate they wish to upload/download a file
  • Your application generates a pre-signed URL that includes an authorization to access Amazon S3, with restrictions such as bucket, path and file size
  • Users upload/download the file using the pre-signed URL

This way, your application controls the security and there is no potential for accidental workaround, overwriting, access, etc.

See: Uploading Objects Using Pre-Signed URLs

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470