I want to know that whether Amazon S3 Pre-Signed URL is protected from brute force attack.
For example, if I am the only person who knows the Pre-signed URL, is it extremely unlikely that somebody use brute force attack and access to bucket?
Asked
Active
Viewed 460 times
1 Answers
1
Yes. You should use AWS S3 SigV4 (various libraries support it, for example this version is required to use S3 bucket in Frankfurt region, while buckets in US Virginia might be accessible with older code using older versions of the protocol).
The signature is produced using HMAC-SHA256. Guessing a correct signature without knowing your secret access key is very hard (2 raised to the power of 128 hard). Bitcoin miners are doing a related task, and the entire bitcoin network achieves about 2^67 per second, or 2^82 per year. So 2^128 would be quite hard to achieve for your hypothetical attacker. They would get access by phishing someone who has access, not by brute force.
Z.T.
- 7,768
- 1
- 20
- 35
-
I would also add that AWS will certainly block the IPs who are performing the Bruteforce – Kaymaz Jan 30 '21 at 20:57
-
Thank you, I understand that I wouldn't have to worry about brute force. – 7FEB97FF3E1ECCC Jan 31 '21 at 03:23