IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [amazon-s3]

For questions about securing the data stored in Amazon's S3 storage service or Amazon Simple Storage Service, vulnerabilities associated with it, mitigating the risks, etc...

49 questions
2
votes
2 answers

S3 Bucket Name Obscurity as Security

Edited to clarify: *The bucket is used by EC2 instances that process its data and display parts of it to the user. The EC2-S3 interaction is invisible to the user. * Can I assume that a public S3 bucket will not be discovered if it has a very long…
David_Springfield
  • 184
  • 10
2
votes
1 answer

What attack vectors does AWS SSE-S3 help mitigate?

Reading into the various SSE options on S3, I'm can't understand the following: What exactly does the SSE-S3 (fully-managed, transparent at-rest encryption) protect you against? I can only think of a physical attack vector, where someone physically…
Ilya Ayzenshtok
  • 143
  • 4
2
votes
1 answer

Security of assets/media on s3

I got my application written in Flask (Python 3.6) and running on EB. I need to implement content editor which will allow to upload files on server and I would like to store them on s3. Most of uploaded files will be available on after login in my…
Blejwi
  • 123
  • 3
2
votes
2 answers

File encryption design

I'm building an app and a server. The server is a node.js API with a Postgres backend. Images created in the app will be stored at Amazon S3. Metadata about the files will be stored in Postgres. I have zoomed in at two possible solutions for…
Michael
  • 177
  • 6
1
vote
2 answers

How to manage Encryption Key for Server Side Encryption in AWS S3

I need to encrypt personal data like email, phone number, etc. I am using AWS KMS for managing the encryption keys. This is the system that is already implemented is as follows: All the existing data is encrypted using a worker which first…
abhishekti7
  • 11
  • 1
1
vote
1 answer

Does adding a randomized string in S3 file path has equal security to Google Drive shared link

I would like to use an AWS S3 bucket to store my IoT firmware file and allows all of my IoT devices to access it to update the firmware to the latest version. I want that the firmware file in the S3 bucket is secret to only me and my devices. But I…
asinkxcoswt
  • 375
  • 1
  • 3
  • 7
1
vote
0 answers

Is using randomized filenames a good way to secure data stored in a product like S3?

If I want to use a S3 clone to host something somewhat sensitive (probably digitalocean, since it's cheapest and probably has a perfectly good quality), is it sensible to do it this…
john01dav
  • 215
  • 1
  • 6
1
vote
1 answer

Is the Amazon S3 Pre-Signed URL protected from brute force attack?

I want to know that whether Amazon S3 Pre-Signed URL is protected from brute force attack. For example, if I am the only person who knows the Pre-signed URL, is it extremely unlikely that somebody use brute force attack and access to bucket?
7FEB97FF3E1ECCC
  • 13
  • 2
1
vote
1 answer

Encrypting file stores in s3

I am developing a system for storage of medical records. A person could upload image(s) or file(s). Since it is a medical record , it needs to be stored in encrypted form.Also I want that the files or images could only be seen by authorised user.…
shubham shreyash
  • 13
  • 2
1
vote
1 answer

Amazon S3 policies: CORS or Service Accounts?

I have a question about accessing buckets on AWS S3. Let's suppose we have a bucket that has to have public read access by everyone and only my API has to be able to PUT and DELETE items from bucket. To restrict the access, take a look at these two…
Vivi
  • 69
  • 4
1
vote
2 answers

Serverless Apps Authenticate Users After Page Load - Flaw?

Server-based apps check for a session cookie before returning any content to the user. If an authentication cookie isn't sent from the user's browser, the only content delivered to the user is a redirect/error message. I'm new to server-less apps. …
David_Springfield
  • 184
  • 10
1
vote
1 answer

Risk of man in the middle attack on AWS S3 due to wildcard SSL certs

I see that using AWS S3 with https, it comes with a wildcard SSL cert. Does that mean man-in-the-middle attack is possible by DNS/network rogue and redirect users into another S3 link (having the same wildcard)? Assuming that noone can acquire…
Khanh Nguyen
  • 13
  • 5
1
vote
0 answers

What are the security implications of storing user-uploaded files on a third-party server versus your own managed webserver?

I'm working on a web platform which will contain some rather sensitive personal information, and obviously this raises the problem of how secure this data will be. Users can upload some files, and I was wondering what the best way was to store them…
Buno
  • 111
  • 1
1
vote
1 answer

Is it secure to have public access to the file on S3 with `secret` url?

For example https://s3-eu-west-2.amazonaws.com/mybucket/620f5cb4132cf1b4619503ece569599e This is a private file, I send to the web-browser through https link to that private file - but this file is publically accessible by this link. Should I add…
Vitaly Zdanevich
  • 117
  • 7
1
vote
1 answer

Do AWS and GAE use DMZ?

The system I am working on primarily use Google App Engine for my main web app and Amazon Cloudfront/S3 for hosting static data. Now as an audit exercise this question is out to me: Are the internet facing components of the service hosted in a…
Anthony Kong
  • 209
  • 2
  • 7
1
2
3 4