S3 Presigned URLs

Amazon S3 has been in the news lately:

Top Defense Contractor Left Sensitive Pentagon Files on Amazon Server With No Password

The RNC Files: Inside the Largest US Voter Data Leak

Cloud Leak: How A Verizon Partner Exposed Millions of Customer Accounts

S3’s default configuration does not allow public access to the contents of a bucket, but these stories all feature bucket or object permissions¬†that were open to the world. It’s evident that it’s a common mistake, but how can we avoid it?

S3 presigned URLs¬†are one answer. A single API call will provide a time-limited URL which will allow access to an object, even if it’s otherwise private. Here’s an example:

$ curl https://s3.us-east-2.amazonaws.com/uiuc-presigned-url-example/secret.txt

<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>24FF5CD84B7510CE</RequestId>
<HostId>Q29LqDuXtn8x+L+3ol1YbIhse+
2XJbUs1HxV3Eq2Fa3krwTPNhS6yu1Ffx8DHgBsrsehvCFeN6Q=</HostId>
</Error>

That file is private, so clicking on that link gives an a AccessDenied error. However, with the right access in the hosting account, I can use the AWS CLI to request a pre-signed link:

$ aws s3 presign s3://uiuc-presigned-url-example/secret.txt --expires-in 604800

https://s3.us-east-2.amazonaws.com/uiuc-presigned-url-example/secret.
txt?X-Amz-Date=20170720T182534Z&X-Amz-SignedHeaders=host&X-Amz-Creden
tial=ASIAIYLQNVRRFNZOCFBA%2F20170720%2Fus-east-2%2Fs3%2Faws4_request&
X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Security-
Token=FQoDYXdzEJP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDOLWx95j90zPxGh7WSL
dAVnoYoKC4gjrrR1xbokFWRRwutmuAmOxaIVcQqOy%2Fqxy%2FXQt3Iz%2FohuEEmI7%2
FHPzShy%2BfgQtvfUeDaojrAx5q8fG9P1KuIfcedfkiU%2BCxpM2foyCGlXzoZuNlcF8o
hm%2BaM3wh4%2BxQ%2FpShLl18cKiKEiw0QF1UQGj%2FsiEqzoM81vOSUVWL9SpTTkVq8
EQHY1chYKBkBWt7eIQcxjTI2dQeYOohlrbnZ5Y1%2F1cxPgrbk6PkNFO3whAoliSjyRC8
e4TSjIY2j3V6d9fUy4%2Fp6nLZIf9wuERL7xW9PjE6eZbKOHnw8sF&X-Amz-Signature
=a14b3065ab822105e8d7892eb5dcc455ddd603c61e47520774a7289178af9ecc"

That returns a long URL which will work for one week from the time it was created.

$ curl "https://s3.us-east-2.amazonaws.com/uiuc-presigned-url-example/secret.txt?X-Amz-Date=20170720T182534Z&X-Amz-SignedHeaders=host&X-Amz-Credential=ASIAIYLQNVRRFNZOCFBA%2F20170720%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Security-Token=FQoDYXdzEJP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDOLWx95j90zPxGh7WSLdAVnoYoKC4gjrrR1xbokFWRRwutmuAmOxaIVcQqOy%2Fqxy%2FXQt3Iz%2FohuEEmI7%2FHPzShy%2BfgQtvfUeDaojrAx5q8fG9P1KuIfcedfkiU%2BCxpM2foyCGlXzoZuNlcF8ohm%2BaM3wh4%2BxQ%2FpShLl18cKiKEiw0QF1UQGj%2FsiEqzoM81vOSUVWL9SpTTkVq8EQHY1chYKBkBWt7eIQcxjTI2dQeYOohlrbnZ5Y1%2F1cxPgrbk6PkNFO3whAoliSjyRC8e4TSjIY2j3V6d9fUy4%2Fp6nLZIf9wuERL7xW9PjE6eZbKOHnw8sF&X-Amz-Signature=a14b3065ab822105e8d7892eb5dcc455ddd603c61e47520774a7289178af9ecc"

This is a secret file. Keep it safe.

Presigned URLs can be used to safely share files with collaborators or exclusively display content to logged-in, trusted users on a website. They can’t stop a trusted user from saving content and reposting it elsewhere, so consider the human factor when you’re using them.

Amazon is currently sending out alerts to account holders that have publicly-readable S3 buckets. If we receive a notice, we’ll forward it on to that account’s admin contacts for consideration.

 

Comments are closed.