Our web application features a lot of media upload. We are making use of AWS S3 buckets for media storage. As per the current implementation, whenever a new file upload API is called, we send the AWS credentials to the front end and front end will use these credentials to initiate the file upload.

But a recent security audit reported that it is a bad approach since the AWS credentials can be captured by anyone from the front end and the buckets are readable/writable.

I understand that I can store the AWS credentials at backend only. Then the server can first receive the file when the user uploads and server can then upload it to S3 using these credentails. But as I mentioned earlier, we use a lot of media upload and this process makes it an additional overhead.

What could be other possible ways to resolve the security threat? Can access restricting S3 buckets to only our domain solve the issue?

Anonymous Platypus
  • 1,392
  • 3
  • 18
  • 33

1 Answers1


There are at least two ways to achive this:

In either case you need to make sure to only grant the access you want. Some possible pitfalls:

  • allowing a user to read a file they do not own
  • allowing a user to (over)write a file they do not own
  • allowing a user to perform other actions they shouldn't do (listing directories, acls, etc)
  • allowing malicious files to be uploaded (eg HTML for XSS)

There is a lot of room for error, so make sure to have the security team look at the final implementation.

  • 29,018
  • 7
  • 95
  • 119