S3 Storage Does Not Require Authentication

S3 Storage Does Not Require Authentication

Applications which host sensitive or partially sensitive data on S3 buckets should require “pre-signed” access tokens on user objects. The failure to do so may allow uploaded objects to be exposed to unauthorized parties. Because S3 does not have the capability to enforce custom application authentication, applications must require “pre-signed” URLs to access objects.

Applications which use unpredictable identifiers such as guids for partially sensitive data (such as profile avatars) should never assume such paths will remain unknown indefinitely.

Below shows an example of pre-signed URLs: GET /photos/puppy.jpg?AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D HTTP/1.1 https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html

Two primary attacks scenarios exist when signed URLs are not in use:
1. Users may discover or harvest information of other users by forceful enumeration or by accidental sharing.
2. Users may upload malicious content and exploit the domain trust in attempt to phish or attack other users with malware.

Recommendation

At minimum, it is recommended that all user content is protected with pre-signed URLs. Pre-signed URLs are pre generated authentication tokens that allow a GET request to a specific object within an S3 bucket.

Although the token can be reused and be reused to access the object if stolen, the token is valid by default for a short period of time 3600 seconds (1 hour). Virtue Security recommends that this time is reduced to 1800 seconds (30 minutes) or a time that is compliant with organization standards.

References

https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html