Is Bucket Upload Policy a good pratice for upload files to AWS S3?

Asked Oct 21 '19 at 20:13

Active Oct 21 '19 at 20:13

Viewed 57 times

In AWS docs page has the following instructions to upload files to an AWS bucket from browser: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html

This solution send to browser a policy and a signature using the secret key that is validated on POST. Also, exposes the AWS Key ID (but noy AWS Secret Key). Isn't it a bad pratice? Although the secret ID is not exposed, expose AWS Key ID sounds bad for me because an attacker can use bruteforce to guess the key (having the policy and the signature).

asked Oct 21 '19 at 20:13

Vivi

Have you looked at the S3 pre-signed URL functionality? It removes the need to expose your AWS key. – jwh20 Oct 21 '19 at 22:14
Yes, i've seen it. But pre-signed URLs also expose the AWS Key ID in the URL query parameters. – Vivi Oct 22 '19 at 13:00

Is Bucket Upload Policy a good pratice for upload files to AWS S3?

0 Answers0