6

I want to generate pre-signed S3 URLs using temporary security credentials (my program is running on an EC2 host that has an IAM role attached with the policies I want).

I saw on the docs for how to create a signed request that I am supposed to provide the session token as part of the pre-signed URL. Is this safe to expose to the public?

The docs on how to use temporary credentials say that "AWS uses the session token to validate the temporary security credentials," but can someone use the access key and session token from the temporary security credentials (both of which are visible in the pre-signed URL) to do anything malicious?

In short, my question is: how secret is the session token from AWS temporary security credentials? Is it dangerous to reveal by itself? What about if I reveal it with the associated access key?

Thanks in advance! I've been scratching my head about this since the STS docs aren't super clear on how secret this session token is, and I definitely want to be doing The Right Thing security-wise.

CDOct
  • 63
  • 1
  • 3
  • You should use the AWS SDKs to generate pre-signed URLs if you can. If it emits plaintext access key and session token in the URL then it's presumably safe to do so. – jarmod Mar 15 '18 at 20:20

1 Answers1

3

The session token and the access-key-id are useless without the accompanying secret. It is computationally infeasible to reverse-engineer the secret from key + token + signature.

Pre-signed URLs are intended for use in cases where you want to give a user access to a specific resource without actually giving them the credentials, and necessarily include the x-amz-security-token if signed with temporary credentials. If the token is omitted, the service will respond with InvalidAccessKeyId, "The AWS access key Id you provided does not exist in our records" when the signed URL is used.

It isn't specifically documented what information is contained in the token, but there is no documented indication that it is not suited for use in exactly this application. It seems a safe assumption that whatever information it contains is encrypted and extractable only by the AWS services in possession of the necessary decryption keys.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427