1

I want that everyone who I give the link to the file can access it. But no one can find out my links.

Is there a secure way to do this?

arm
  • 605
  • 1
  • 7
  • 16
  • I am afraid that what you describe is called 'security by obscurity' and I would discourage from trust in 'no one can find my links'. What is the specific business use case you have to solve? – Lech Migdal Jan 04 '18 at 11:36
  • There is nothing obscure about that method. If you have the correct link you can access the file. Google Drive and Dropbox use the same technique. They grand the access to files if you have the correct link. – arm Jan 04 '18 at 12:53
  • Agree that you can do it with google drive, but this means that you expose your content to public Internet without any control over who will access it. I agree that those links are hard to guess, but I wouldnt personally call this a 'secure' method of exposing content and for sure people can find out those links (sniffing on the network, browser history, etc). – Lech Migdal Jan 04 '18 at 13:04
  • From the S3 side - afaik there are no mechanism to give you this out of the box, but you can easily do the same thing with randomizing filenames when you're uploading them to S3 (see https://stackoverflow.com/questions/3146380/what-are-the-restrictions-on-object-ids-in-amazon-s3 for constrains) – Lech Migdal Jan 04 '18 at 13:04
  • The file name cannot be sniffed assuming you trust TLS. (https://security.stackexchange.com/a/4418) – arm Jan 04 '18 at 13:20
  • So AWS keeps the paths and filename secret in a public directory? You have to know the exact path to access? – arm Jan 04 '18 at 13:20
  • 1
    You can control if 'List objects' is enabled or disabled on S3 level. Thank you for the TLS link, mea culpa, I was incorrect then when it comes to sniffing :) So you can give access to 'Get objects' = give access to file if the URL is valid, but not to listing all the files in a folder (folks will get Access Denied when they try doing that). – Lech Migdal Jan 04 '18 at 13:25

1 Answers1

0

Suppose you have a bucket in aws and you want to hide the links from the persons who're accessing it then you can use the CNAME method.

Example CNAME Method

This example uses www.johnsmith.net as the bucket name and homepage.html as the key name. To use this method, you must configure your DNS name as a CNAME alias for bucketname.s3.amazonaws.com.

The URL is as follows:

http://www.johnsmith.net/homepage.html

The example is as follows:

GET /homepage.html HTTP/1.1
Host: www.johnsmith.net

However, there are some restrictions with this method. The bucket name must be dns compliant.

The CNAME DNS record should alias your domain name to the appropriate virtual hosted–style host name. For example, if your bucket name and domain name are images.johnsmith.net, the CNAME record should alias to images.johnsmith.net.s3.amazonaws.com.

images.johnsmith.net CNAME          images.johnsmith.net.s3.amazonaws.com.

SSL CASE

When using virtual hosted–style buckets with SSL, the SSL wild card certificate only matches buckets that do not contain periods. To work around this, use HTTP or write your own certificate verification logic.

More can be read here

https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html

Let me know if it solves your concern.

Himanshu Chauhan
  • 812
  • 9
  • 11