Amazon S3 has been in the news lately:
S3’s default configuration does not allow public access to the contents of a bucket, but these stories all feature bucket or object permissions that were open to the world. It’s evident that it’s a common mistake, but how can we avoid it?
S3 presigned URLs are one answer. A single API call will provide a time-limited URL which will allow access to an object, even if it’s otherwise private. Here’s an example:
$ curl https://s3.us-east-2.amazonaws.com/uiuc-presigned-url-example/secret.txt <?xml version="1.0" encoding="UTF-8"?> <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>24FF5CD84B7510CE</RequestId> <HostId>Q29LqDuXtn8x+L+3ol1YbIhse+ 2XJbUs1HxV3Eq2Fa3krwTPNhS6yu1Ffx8DHgBsrsehvCFeN6Q=</HostId> </Error>
That file is private, so clicking on that link gives an a AccessDenied error. However, with the right access in the hosting account, I can use the AWS CLI to request a pre-signed link:
$ aws s3 presign s3://uiuc-presigned-url-example/secret.txt --expires-in 604800 https://s3.us-east-2.amazonaws.com/uiuc-presigned-url-example/secret. txt?X-Amz-Date=20170720T182534Z&X-Amz-SignedHeaders=host&X-Amz-Creden tial=ASIAIYLQNVRRFNZOCFBA%2F20170720%2Fus-east-2%2Fs3%2Faws4_request& X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Security- Token=FQoDYXdzEJP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDOLWx95j90zPxGh7WSL dAVnoYoKC4gjrrR1xbokFWRRwutmuAmOxaIVcQqOy%2Fqxy%2FXQt3Iz%2FohuEEmI7%2 FHPzShy%2BfgQtvfUeDaojrAx5q8fG9P1KuIfcedfkiU%2BCxpM2foyCGlXzoZuNlcF8o hm%2BaM3wh4%2BxQ%2FpShLl18cKiKEiw0QF1UQGj%2FsiEqzoM81vOSUVWL9SpTTkVq8 EQHY1chYKBkBWt7eIQcxjTI2dQeYOohlrbnZ5Y1%2F1cxPgrbk6PkNFO3whAoliSjyRC8 e4TSjIY2j3V6d9fUy4%2Fp6nLZIf9wuERL7xW9PjE6eZbKOHnw8sF&X-Amz-Signature =a14b3065ab822105e8d7892eb5dcc455ddd603c61e47520774a7289178af9ecc"
That returns a long URL which will work for one week from the time it was created.
$ curl "https://s3.us-east-2.amazonaws.com/uiuc-presigned-url-example/secret.txt?X-Amz-Date=20170720T182534Z&X-Amz-SignedHeaders=host&X-Amz-Credential=ASIAIYLQNVRRFNZOCFBA%2F20170720%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Expires=604800&X-Amz-Security-Token=FQoDYXdzEJP%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDOLWx95j90zPxGh7WSLdAVnoYoKC4gjrrR1xbokFWRRwutmuAmOxaIVcQqOy%2Fqxy%2FXQt3Iz%2FohuEEmI7%2FHPzShy%2BfgQtvfUeDaojrAx5q8fG9P1KuIfcedfkiU%2BCxpM2foyCGlXzoZuNlcF8ohm%2BaM3wh4%2BxQ%2FpShLl18cKiKEiw0QF1UQGj%2FsiEqzoM81vOSUVWL9SpTTkVq8EQHY1chYKBkBWt7eIQcxjTI2dQeYOohlrbnZ5Y1%2F1cxPgrbk6PkNFO3whAoliSjyRC8e4TSjIY2j3V6d9fUy4%2Fp6nLZIf9wuERL7xW9PjE6eZbKOHnw8sF&X-Amz-Signature=a14b3065ab822105e8d7892eb5dcc455ddd603c61e47520774a7289178af9ecc" This is a secret file. Keep it safe.
Presigned URLs can be used to safely share files with collaborators or exclusively display content to logged-in, trusted users on a website. They can’t stop a trusted user from saving content and reposting it elsewhere, so consider the human factor when you’re using them.
Amazon is currently sending out alerts to account holders that have publicly-readable S3 buckets. If we receive a notice, we’ll forward it on to that account’s admin contacts for consideration.