Exposing AWS S3 Signed URLs in Web App? - amazon-web-services

I have been trying to find an answer to this question for a couple of hours now, but have not managed to come up with a conclusive answer. I am hoping someone here will be able to shed some light on my question. Consider the following Example AWS S3 URL:
https://some-bucket.s3-eu-west-2.amazonaws.com/uploads/images/some_image.jpg?X-Amz-Expires=600&X-Amz-Date=20170920T124015Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAI6CJYFYSSWMXXXXX/20170920/eu-west-2/s3/aws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=0481296b70633de9efb2fce6e20751df2f55fd79b5ff9570c02ff8f587dce825
In my specific example, the above URL is a request to view an image on S3 which I am exposing directly in a HTML img tag, and the user in Amz-Credential has both read and write permissions. The URL is also set to expire in 10 minutes.
Is is safe to link to the image directly via this URL, or is there any possibility that within these 10 minutes, the signature from this URL could be used in a maliciously crafted REST request to delete or modify the image instead of viewing it?
I do suspect a different action will have a different signature to make this impossible, but given my very limited understanding of AWS auth, I thought it better to ask just in case.
I know I could create a read-only user (extra complexity) or hide the S3 URL behind a controller action on my own web app (requires 2 total requests to load each image, making it inefficient), but I would rather learn whether my current approach is safe or not before resorting to either of these.
Thank you kindly for your time. :)

If your pre-signed url has PUT or DELETE permission someone could try to get the Signature + AccessKeyId to overwrite or delete your object.
Just make sure that you are signing the url with a read-only permission and I guess you're good.

Related

Any way we can share a specific item publicly from a private S3 bucket?

The question is pretty vague but here's the entire problem statement. I am using Django REST APIs, and I'm generating invocies for my clients. Using wkhtmltopdf, I'm able to generate a PDF file which gets automatically backed up to S3. Now, we need to retreive the said invoice once our client clicks on a link.
We're using pre-signed URLs right now, which last for 12 hours, right? Once that link expires, the entire backend fails.
I mean, even if we go for permanent pre-signed links, would there not be a security issue?
I could really use some guidance on this.
Now, we need to retreive the said invoice once our client clicks on a link.
We're using pre-signed URLs right now [...]
Only generate the pre-signed URL for a given S3 URI when the authenticated client clicks on the link. You can then give it a very short expiry.

Two different links to an image in a bucket? What's the difference?

While ago I've uploaded an image to the Google Cloud Platform bucket and made it public. Direct link, from GCP looks like this:
But this link, when put as Avatar URL to the Hangouts Chat API is not working (showing default avatar on hangouts chat, instead of mine).
I also found a way to create an url, its: https://storage.googleapis.com/[bucket]/[file] and this one is working, no idea why.
And my question is, why "official" link is not working, while the second one is working? What's the difference between them, difference between storage.cloud.google.com vs storage.googleapis.com?
This should help you understand better what's the difference between the two links.
Access to public objects
All requests to the storage.cloud.google.com URI require authentication. This applies even when allUsers have permission to access an object. If you want users to download anonymously accessible objects without authenticating, use the storage.googleapis.com URI documented in Direct API requests. For details and examples, see Accessing Public Data.
Here you have more information on the topic.
Hope this helps :)

How can I grant access only if resource is accessed through my domain?

I have a bunch of videos and all of them are uploaded on Wistia. On Wistia, I have set up access for my domain, so they will play only when the videos are fetched from my domain.
If someone uses View Source and copies the video URL and pastes it in a separate browser window, they get an "access denied' message.
I'm thinking about moving my videos to Google Cloud Storage. So, my questions are:
Does Google cloud provide a similar domain restriction feature?
How can I set this up? For now, I've created a temporary bucket and uploaded a video and granted it public access. Then I copied the public link of the MP4 file and added to my website, and it obviously plays, but then any paid member can use View Source, copy the MP4 link and upload it to other streaming services for everyone to see.
EDIT
Is there a way to do this programmatically - like my website is in PHP - so something along the lines like - keep the bucket as restricted access and then through PHP - pass some key and retrieve the video file. Not sure if something like this is possible.
Thanks
I do not believe that there is an access control mechanism in Google Cloud Storage equivalent to the one you are using in Wistia.
There are several methods to restrict object access (see https://cloud.google.com/storage/docs/access-control) in GCS, but none of them are based upon where the request came from. The only one that kind of addresses your issue is to use Signed URLs. Basically, a user would go to your site, but instead of giving them the "real" URL of the object they are going to be using, your application retrieves a special URL that is time-limited. You can set the length of time it is valid for.
But if what you are worried about is people copying your video, presumably they could still see the URL someplace and copy the data from there if they did it immediately, so I don't think that really solves your problem.
Sorry I can't be more helpful.

Authenticate users to view files from AWS S3

Good Day Everybody,
I'm fairly new to AWS, and I have a problem right now. I'm not even sure if this is something that is possible with S3. I tried googling it, but couldn't find any proper response (Probably because the keywords I searched doesn't make much sense ;) ).
So my problem is this, I have an node application which uploads user images to S3. I wan't to know how to properly access this images later in the front-end(Some sort of direct link). But at the same time, I should be able to restrict the users who can access the image. For eg: If user xyz uploads an image only that user should be able to see it. Another user say abc tries to open the direct link, it should say access restricited or something similar.
Or if that is not possible, atleast I should be able to put an encrypted timestamp on the get url, so that the image will be accessible through that particular url for only a limited amount of time.
Thanks in advance.
This is the typical use case for S3 Pre-signed URLs.
In S3, you are able to specify some query strings on the URL of your object that include an Access Key, an expiration timestamp and a signature. S3 validates the signature and checks if the request has been made before the expiration timestamp. If that's the case, it will serve the object. Otherwise, it will return an error.
The AWS SDK for JavaScript (Node.js) includes an example on how to generate pre-signed URLs: http://docs.aws.amazon.com/AWSJavaScriptSDK/guide/node-examples.html#Amazon_S3__Getting_a_pre-signed_URL_for_a_getObject_operation__getSignedUrl_

Restrict S3 permissions to just website

I have people uploading video content and I'd like to restrict the video content to ONLY be streamed from my site. Since the video URLs in the video tag are easily accessible through the HTML source, I was to stop people from copying the direct s3 url and putting it in another tab.
I was looking over the docs here: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Condition
But it wasn't immediately obvious to me.
Thanks for your help!
You need to make this bucket private and use the signed URL to give access only to your users on your website. Signed URLs have short life (and required policy baked into it) when you generate them. This will prevent misuse even if somebody steals the URLs (or sends you the faked referrer headers etc).
You can create these URLs manually (difficult to manage) or programmatically (some coding work required). In the second case, once your website user contacts your server, then generate and serve the auto-expiring URL. Use this URL then on your website.
Overview of Signed URLs - Amazon CloudFront.