0

I own an ecommerce platform that sells large (500 megabyte+) ebooks. To reduce server costs I am looking at hosting the ebooks on S3 and using Sendowl/ FetchApp to create the links to the downloads.

My understanding is that "customer buys ebook" -> "customer receives signed url (i.e. example.com/ksljfasdkfj)" -> signed URL goes to actual s3 file (i.e. amazon.bucket/file1.pdf)"

Assuming that the middleman I use to sign the domain works correctly, and my bucket file has the correct security settings, is this secure? What is keeping someone from just brute-forcing the file system to find other files or use the link after it expires? My nightmare would be a security hole wherein someone could access all the documents.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ryan
  • 1
  • 1
    Ultimately, your question isn't about Amazon at all or signing, but about your obscure URL scheme. – schroeder Dec 02 '19 at 23:09
  • Potential duplicates: https://security.stackexchange.com/questions/91837/use-of-obscure-url-for-security – schroeder Dec 02 '19 at 23:10
  • Your concern is about all the *other* stuff besides a brute-forceable URL. And you do not provide any details on how you keep the buckets secure or how you invalidate links once used, so we can't comment on that. – schroeder Dec 02 '19 at 23:12

0 Answers0