AWS re:Inforce 2024
Amazon S3 Presigned URL Security Iam321

Title: AWS re:Inforce 2024 - Amazon S3 presigned URL security (IAM321)

Insights:

  • Importance of S3 Security: The speaker emphasizes the ubiquity of S3, noting that almost everyone has data in S3, either directly or indirectly.
  • Understanding Presigned URLs: Presigned URLs are specific to S3 and differ from other AWS services. They allow temporary access to S3 objects without requiring AWS credentials from the end user.
  • Authentication Basics: AWS authentication involves using a secret key to sign requests, which AWS then verifies. This process includes checking the signature's validity, the account's status, and the request's timestamp.
  • Presigned URL Mechanics: Presigned URLs use query parameters instead of HTTP headers, making them easily shareable as a string. They also relax the time constraint, allowing for longer validity periods.
  • Use Cases for Presigned URLs:
    • Resource-Constrained Devices: Ideal for IoT devices with limited compute capacity.
    • Generic Clients: Useful for web browsers or command-line tools that don't need AWS SDKs.
    • Non-AWS Users: Allows sharing S3 objects with users who don't have AWS accounts.
    • Granular Access Control: Enables fine-grained, per-object access control without complex policies.
  • Limitations of Presigned URLs:
    • Credential Dependency: Presigned URLs are only valid as long as the credentials used to sign them are valid.
    • Operation Specificity: Each presigned URL is tied to a specific operation and cannot be used for multiple actions.
    • Bearer Token Risks: Presigned URLs act as bearer tokens, meaning anyone with the URL can access the resource, and they are replayable for their entire duration.
    • Revocation Challenges: Revoking a presigned URL requires changing the credentials or permissions of the signer, affecting all URLs created by that principal.
  • Mitigating Risks:
    • Bound Signer's Permissions: Ensure the signer has limited permissions.
    • Avoid Logging Signatures: Do not log presigned URLs to prevent unauthorized access.
    • Short Duration: Keep the validity period of presigned URLs short.
    • Use Temporary Sessions: Employ temporary session credentials for signing to limit URL duration.
  • Alternatives to Presigned URLs:
    • Amazon CloudFront: Use presigned cookies for web-facing use cases, allowing access to multiple files.
    • Signed Requests: Proxy or sidecar models for signing requests without creating presigned URLs.
    • S3 Access Grants: Token vending machine pattern that provides credentials on demand, supporting non-AWS identities.

Quotes:

  • "Anybody here have data in S3? Raise your hands. Anybody who didn't raise your hands, raise your hand because you do have data in S3."
  • "Presigned URLs are not just signed requests with some timestamp in the future."
  • "The benefit here is that I've temporarily allowed an anonymous user, another human being who does not have an AWS account, to access my data in S3."
  • "Presigned URLs never outlive the credentials used to sign them."
  • "Presigned URLs are bearer tokens. Bearer tokens is a scary phrase in the security world."
  • "Do not be afraid of presigned URLs. You don't need to block them. You don't need to freak out about them."
  • "Access Grants have so much flexibility, and there's more coming soon on Access Grants as a feature."
  • "Your intelligence and your wisdom scores are now plus one, right? So you can go out and face this dungeon with confidence."
Amazon Q Builder Securing Your Code Cfs224Automation in Action Strategies for Risk Mitigation Grc301