4

AWS provides signed url to objects in bucket.

On backend we can connect with AWS and create such signed urls and send to front-end

Just discussing this one use case where we use that signed url to make a put request through javascript, thereby directly uploading file to bucket from webpage

https://medium.com/@khelif96/uploading-files-from-a-react-app-to-aws-s3-the-right-way-541dd6be689

But signed url contains the bucket name, although the bucket is private i.e. only authorised person can access it

But are we still compromising security by letting general public know the private bucket name through the signed url?

Is there a possibility that hacker can devise some means to hack into that private bucket, now that they are aware of the bucket name?

Just putting one more thought, if someone is aware that if such webpage goes through audit, they will flag this as a possible threat to security

Akshay Vijay Jain
  • 143
  • 6

1 Answers1

7

tl/dr: As long as the bucket is not publicly accessible (i.e. you need access keys to read/write), then don't worry about the name. It isn't private because your employees probably know it and hackers/penetration testers routinely perform brute-force searches for bucket names. Also, asking "What if someone figures out how to hack buckets?" is like asking, "What if the CIA planted malicious firmware in all my computers?" While theoretically possible, it probably isn't your biggest concern.

It depends on what you mean by "private".

Actually Private

If you mean that the bucket has no read/write/access permissions from unauthenticated users, then revealing the bucket name in a signed URL doesn't matter because the bucket name is not sensitive data - the keys are. Trying to hide the bucket name would just be security through obscurity, and in this particular case would add very little security. Feel free to use signed URLs.

Merely Hidden

If you mean that the bucket allows public users to read/write/access it, and the only thing stopping people from doing so is that they don't know the bucket name, then yes, revealing the bucket name is a bad idea. Of course for a bucket that contains private/sensitive data, this is a terrible way to manage your bucket anyway. Hackers and penetration testers regularly find hidden buckets by using brute-force searching. There are tools to make it easier. As a result the only way to keep data in a bucket private is by denying all public access.

Threat Modeling

You also asked if you should hide the bucket name just in case some hacker finds a way to hack buckets knowing only the bucket name. What you need is a threat model. It's important to recognize that like all features in an application, every security measure has an associated cost (development time, possible loss of functionality, future maintenance costs). Every security measure should also have a benefit. As a result there is never really a point where something is "secure" or "not secure". It's merely a matter of deciding when something is "secure enough", and each individual business is ultimately responsible for finding that point for themselves. To get you started, I'll mention the risk you are concerned about and add some more to the list:

  1. What if someone figures out how to hack an amazon bucket knowing just the bucket name?
  2. Do you store you AWS keys in your code repositories? What if one of your employees uses it to steal the data in your bucket? After all, they already know everything anyway.
  3. What if one of your employees wants to be able to make data available without a signed URL and so decides to just make the whole bucket public, forgetting that it also stores private data?

Personally, item #1 there would be the lowest on my list of concerns. After all, something like 50% of all data breaches start with internal employees (either intentionally or not). If someone did find some way to hack an AWS bucket knowing just the bucket name, it would be a huge deal. It would generate world-wide headlines and Amazon would have people working around the clock until it was fixed.

Besides, you should stop thinking that you can keep a bucket name private. You really can't. Your employees probably all know it and they are as likely to cause leaks as "hackers" anyway. Moreover, performing brute-force searches for buckets is a very common practice in both the hacking and penetration testing world.

Your bucket name isn't private. It never will be. Don't kid yourself into thinking otherwise. Either way, there are an infinite number of possible things to be concerned about, and you don't have time to fix them all. You need a threat modeling process to help you decide what is most important to your business, prioritize the potential risks for those assets, and then address them according to your available resources.

Community
  • 1
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
  • extremely thankful for your response, it is the first case, yet I had an argument coming to me that since bucket name is unique throughout AWS, if we reveal it, hackers might somehow devise some means to hack into it – Akshay Vijay Jain Mar 12 '20 at 08:32
  • 2
    @AkshayVijayJain I added a few more details for you. – Conor Mancone Mar 12 '20 at 13:49