What security considerations should be taken into account when naming an S3 bucket?
Asked
Active
Viewed 219 times
3 Answers
2
If you embed a bucket name into an application (of any sort), and subsequently you delete that bucket, then someone else might create a bucket with the same name and now effectively have a way to influence your application. Because of this, it's better to deliver bucket names to applications as configuration rather than embedding the name in code.
efitz
- 21
- 2
1
There aren't many security considerations that need to go into naming your S3 bucket -- just make sure it's a useful name.
S3 Bucket names have to be what AWS refers to as "unique within a partition". For anyone that isn't AWS China or AWS GovCloud, that means it has to be globally unique (you can't have the same bucket name as any other S3 bucket in the world). Additional information can be found in the AWS Documentation Bucket Restrictions and Limitations. [1]
I've won't delve into too many details as it's not what you asked, but your security concerns begin right after finding an applicable name. You can read more about this in AWS Documentation Policies and Permissions in Amazon S3 [2], but should include considerations such as Bucket Policies, replication to other regions for DR purposes, and more.
[1] https://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html
[2] https://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-language-overview.html
coderichardson
- 180
- 6
0
For S3 buckets, anyone can query a bucket name (without specifying an account owner) and see if the bucket is misconfigured to allow public access.
Therefore, I would argue that it makes sense to have a more complicated bucket name that includes random numbers or letters in order to add a level of security through obscurity, such as:
converting-user-metrics-3k5jb3.
S3 settings can be complicated and privacy settings can get overriden by some script somewhere that turns the bucket public.
Going to the extreme and using just a mix of letters and numbers as a bucket name, such as:
njkfv983v4yn894tvy4v439xnjf
can quickly become impractical when one has many buckets for different uses and will necessitate looking into a bucket to see what it contains.
However, AWS doesn't seem to think this additional level of obfuscation is necessary. From their documentation:
The following example bucket names are valid and follow the recommended naming guidelines:
awsexamplebucket1
log-delivery-march-2020
my-hosted-content
Remember that depending on the use case of your bucket, an attacker could gleam the name of your bucket anyway, which is why it's so important to ensure that the correct settings are configured for your bucket.
octothorpe_not_hashtag
- 323
- 2
- 7