For questions about securing the data stored in Amazon's S3 storage service or Amazon Simple Storage Service, vulnerabilities associated with it, mitigating the risks, etc...
Questions tagged [amazon-s3]
49 questions
10
votes
3 answers
What is the purpose of the expiration time in signed S3 urls?
S3 allows you to authenticate requests for media via a signed URL. This URL can include an expiration time, after which the URL is no longer valid…
John Lucas
- 203
- 1
- 2
- 5
7
votes
1 answer
What is legally required to store HIPAA data in the "cloud"?
I was looking into storing SQL DB backups of a healthcare system in the cloud in the event of a disaster to be HIPAA compliant. The solution I came up with was to use Cloudberry backups. What I would want to do is export the SQL DB on my local…
cutrightjm
- 1,714
- 4
- 18
- 31
7
votes
1 answer
Does Amazon S3 deletion "shred" your object
I believe Amazon states that all deletions of objects are irreversible. But for security reasons, how "shreded" is such deletion? For example, supposing a hack to Amazon S3, could anyone recover your deleted data?
noderman
- 397
- 1
- 4
- 9
6
votes
3 answers
Is it more secure to encrypt separate customers' data with separate keys?
If I am storing multiple customers' data in cloud-based file storage such as an AWS S3 bucket, and I use an encryption service such as AWS KMS to achieve encryption at rest, does it add any extra security for me to store each customer's data in a…
CFL_Jeff
- 193
- 5
6
votes
1 answer
Find Security Flaws in My Payment Page
I've done some extensive research about how to secure your website from card fraud.
iFrames do a pretty good job of this, however, It can still be worked around from certain exploits.
Many payment providers have now moved away from 'Hosted Payment…
Matt The Ninja
- 69
- 3
6
votes
3 answers
Is it OK to pass credentials to the client to allow it to upload files to Amazon S3?
Our mobile app will be uploading images to AWS S3. The question is whether to do one of the following options:
Upload the image to our APIs server, then our APIs server uploads the image to S3
Pros: More secure, as the S3 credentials is only stored…
Samir Sabri
- 163
- 5
5
votes
3 answers
How to make S3 Presigned url single use only?
Issue: I have a presigned url which is valid for 15 minutes. Upload can be initiated any number of times if the presigned url is captured in this time frame.
I want to make an S3 presigned url for upload as secure as possible, so that uploaded file…
Sneha Rathod Solanki
- 51
- 1
- 3
5
votes
1 answer
Preventing millions of requests to Amazon s3 bucket
I developed an open source library and hosted its assets on Amazon S3 (CSS, JS), these files were used in demo via URLs like: http://my_bucket_name.s3.amazonaws.com/some-file.js (my bad, I know). Without my permission some websites started…
Marvin3
- 151
- 4
5
votes
1 answer
Security of setting access to S3 bucket only from a particular website
I read about setting access to S3 bucket only from a particular website in Amazon Docs. And I quote :
Suppose you have a website with domain name (www.example.com or
example.com) with links to photos and videos stored in your S3 bucket,
…
Amit Tomar
- 153
- 1
- 7
4
votes
1 answer
Is it insecure to expose private bucket names through signed URL?
AWS provides signed url to objects in bucket.On backend we can connect with AWS and create such signed urls and send to front-endJust discussing this one use case where we use that signed url to make a put request through javascript, thereby…
Akshay Vijay Jain
- 143
- 6
4
votes
3 answers
AWS S3 and 2-factor (multifactor)
I have a client looking to use AWS S3 buckets for file transfer to other clients. That data may have some sort of protected data in it.
I'd like to set up S3 to use 2-factor or MFA for the login/connection.
I've looked at a bunch of AWS docs,…
MikeP
- 1,159
- 7
- 12
3
votes
0 answers
Storing user's private files on S3 and securing access using signed URLs - good idea?
I will be storing private user's files on S3. The files will be PDFs, possibly containing private financial information.
I'm considering letting users directly access the files on S3, without proxying all the traffic through my app server. How…
ssobczak
- 131
- 1
3
votes
3 answers
AWS S3 resource access control through IAM permissions or bucket policies?
The way we create buckets in our org and ensure sane ACLs around it is by providing an automated tool (that internally uses Terraform) to provision an S3 bucket. So say when a user requests for a new bucket, named testBucket we create a bucket named…
qre0ct
- 1,492
- 3
- 19
- 30
3
votes
0 answers
Does storing user files in S3 ensure that my server is secure from user uploaded malware?
Consider a common scenario where I'm using an Amazon S3 bucket to store the files uploaded by my users and not in my actual server. So, all the files the user uploads, go to the s3 bucket, and doesn't stay on my instance. That means I can allow them…
twodee
- 129
- 1
- 4
2
votes
1 answer
How to handle AWS credentials
Our web application features a lot of media upload. We are making use of AWS S3 buckets for media storage. As per the current implementation, whenever a new file upload API is called, we send the AWS credentials to the front end and front end will…
Anonymous Platypus
- 1,392
- 3
- 18
- 33