29

I want to offer presigned urls to my s3 buckets with an expiry date. The .net sdk nicely generates these urls, but looking at them makes me worry a little:

https://s3.amazonaws.com/upload_youtipit/myfile?AWSAccessKeyId=**MYACCESSKEY**&Expires=1317924047&response-content-disposition=attachment;filename=feedback.jpg&response-content-type=image/jpeg&Signature=podKJSrNeFel6%2B0aOneb342H5GA%3D

Why does it need to put my (public) AWSAccessKey in the Url? Shouldn't this be kept a bit more confidential? I know its not the secret, but I still don't feel comfortable exposing it in public..

How likely is it that, somebody who has my public key, can guess/bruteforce my private key?

AyKarsi
  • 9,435
  • 10
  • 54
  • 92

4 Answers4

37

The Access Key ID is not a secret and does not need protecting.

In fact, you can give expiring URLs to random strangers if you want them to access an S3 object. They can see the access key in that URL, but can't do anything with it that you have not authorized.

reference: http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#AccessKeys

Eric Hammond
  • 22,089
  • 5
  • 66
  • 75
  • thanks. Nonetheless I don't feel comfortale sharing it. If somebody has the public part the likeleyhood he can figure out the private part rises a lot. With the keys he then can access my complete aws enviroment. Just because I wanted to share some files.. – AyKarsi Oct 07 '11 at 09:08
  • 7
    No, the public Access Key ID gives the attacker no significant advantage in determining the Secret Access Key, unless, I suppose, the attacker already has a list of valid Secret Access Keys and is just wondering which Access Key IDs they go with. – Eric Hammond Oct 07 '11 at 23:12
  • 3
    Spend your effort protecting your secret access key. Hiding your non-secret Access Key ID just reduces the AWS functionality you can use. – Eric Hammond Oct 07 '11 at 23:13
  • 12
    There are enough real security issues to worry about without making up new ones. – Eric Hammond Oct 07 '11 at 23:14
  • Wait but doesn't the access key allow them to, well, *access* other things in S3 that we don't necessarily want to expose? @EricHammond – melanie johnson Aug 01 '18 at 16:36
  • @melaniejohnson No, the access key id does not give access to anything. It is an id that is shown in public places. The secret access key, however, should be kept a secret, as it does grant access. – Eric Hammond Nov 08 '18 at 04:54
  • I'm getting a xml tree for a null S3 resource, error: nosuchkey, (lowly) concerned about HostId output too. Any thoughts? – Mr-Programs Jan 28 '19 at 15:44
12

I kind of agree with the accepted answer, but there is an easy way to do what you want.

You need to use Amazon IAM to create a user that can only read files (it does not really matter, but they at least need read only to the bucket that you are dealing with). Then use THAT users AWS ID and secret to generate a download link.

This does not open up your whole bucket, as to see the whole bucket the person needs the AWSID of this IAM 'reader' user, plus their secret key. You still need to construct time limited URLs.

You can use the IAM console to create a user like that in a few mins. You only get one chance to get the secret key - at the time you make the user (or if you rotate his keys).

That should do it. This AWSID has no access to anything, and is not linked to you.

In general Amazon now recommends that your primary AWSID is not used 'for anything'. You create users with permissions in IAM, then use those codes. This allows for a lot of security flexibility. You can turn off your read only user with a simple action in the IAM console.

Freedom_Ben
  • 11,247
  • 10
  • 69
  • 89
Tom Andersen
  • 7,132
  • 3
  • 38
  • 55
2

your private key is a one-way computation of some unknown parameters, it may not even use the public key itself as part of the algorithm. knowing your AWSAccessKeyId should have no effect on the complexity of brute-forcing your private key whatsoever.

https ensures the only thing someone can tell about your connection (if they are sniffing network traffic) is that it's between your IP and the IP of s3.amazonaws.com on port 443. even the fact that you're connecting to amazon would have to be deduced from known ip-address ranges assigned to them (which is probably well-known anyhow)

the only way to get at your AWSAccessKeyId in the address bar is to physically see it on your screen, installing some key-logger or trojan on your computer or MIM (man in the middle-ing) amazon's SSL certificate, which is extremely hard even if someone has access to the needed upstream network nodes.

leon

leeoniya
  • 1,071
  • 1
  • 9
  • 25
  • isn't the full url include parameters visible when sniffing? When I use Fiddler, which is my understanding of a sniffing tool, I see the full url.. – AyKarsi Oct 06 '11 at 18:55
  • i'm not sure if you're using fiddler's HTTPS decrypting functions (http://www.fiddler2.com/fiddler/help/httpsdecryption.asp) which do the MIM i described locally (and require you to ignore cert warnings). this will not be possible outside of your own machine. i just tested fiddler with FF and searching https://encrypted.google.com, nothing comes up. only Protocol HTTP is shown when it is used. – leeoniya Oct 06 '11 at 19:56
0

You can use AWS Security Token Service (AWS STS) if you concern of more security.

Temporary security credentials work almost identically to the long-term access key credentials that your IAM users can use, with the following differences:

  1. Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.

  2. Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.

Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

Yasiru G
  • 6,886
  • 6
  • 23
  • 43