Why does AWS recommend against public S3 buckets?

security amazon-web-services amazon-s3 amazon-route53
17,937

Solution 1

Yes, if you know what you're doing (edit: and everyone else with access to it does, too...), you can ignore this warning.

It exists because even large organizations who should know better have accidentally placed private data into public buckets. Amazon will also send you heads-up emails if you leave buckets public in addition to the in-console warnings.

Accenture, Verizon, Viacom, Illinois voter information and military information has all been found inadvertently left open to everyone online due to IT bods misconfiguring their S3 silos.

If you are absolutely, 100% certain that everything in the bucket should be public and that no one's going to accidentally put private data in it - a static HTML site's a good example - then by all means, leave it public.

Solution 2

The privacy issue featured in ceejayoz's answer is not the only problem.
Reading objects from an S3 bucket has a price. You will be billed by AWS for each download from this bucket. And if you have a lot of traffic (or if someone who wants to hurt your business starts to heavily download files all day long) it will quickly become expensive.

If you want files from your bucket to be publicly accessible, you should create a Cloudfront Distribution that points to and is granted access to the S3 bucket.

Now, you can use the Cloudfront Distribution's domain name to serve your files without granting any S3 access to the public.
In this configuration, you pay for Cloudfront's data usage instead of S3's. And at higher volumes it's a lot cheaper.

Share:
17,937

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin almost 2 years

    "We highly recommend that you never grant any kind of public access to your S3 bucket."

    I have set a very granular public policy (s3:GetObject) for one bucket that I use to host a website. Route53 explicitly supports aliasing a bucket for this purpose. Is this warning just redundant, or am I doing something wrong?

    • Admin
      Admin over 6 years
      @MichaelHampton It will show this in the S3 console, without much additional context. businessinsights.bitdefender.com/…
    • Admin
      Admin over 6 years
      Related - can AWS see into a private bucket or does it have to be public for AWS to access files inside?
    • Admin
      Admin over 6 years
      @Criggie AWS being their support team? Or something else?
    • Admin
      Admin over 6 years
      @ceejayoz yes the AWS support team.
    • Admin
      Admin over 6 years
      I'd imagine at a certain level of support they might poke around inside, although S3 supports encryption with a non-Amazon key. Their processes should ensure it's not done without explicit permission, I'd think.
  • Shadur
    Shadur over 6 years
    In practice, you're virtually never 100% certain, so best practice is to don't.
  • Reactgular
    Reactgular over 6 years
    It was just a few months ago where either the FBI or CIA left private data that was supposed to be secure on a public S3. I'll see if I can find a link to the news article.
  • Reactgular
    Reactgular over 6 years
    See here: gizmodo.com/…
  • chrylis -cautiouslyoptimistic-
    chrylis -cautiouslyoptimistic- over 6 years
    CloudFlare also works, and is likely to be cheaper still.
  • bad_keypoints
    bad_keypoints over 5 years
    Good sire, can you guide me how to specifically allow only my website and Android app to be able to access my bucket's objects? Basically I don't want people scraping my bucket contents. But my website and app should be able to load them.
  • machineghost
    machineghost almost 4 years
    @bad_keypoints what you describe is (basically) impossible in S3. There is no way your website can tell the difference between someone scraping and a regular visitor. Technically you could write server-side logic to look at how much your user is consuming, and stop them at a certain point ... but such logic would be a PITA, and you'd have to use a real host (eg. EC2 instead of S3) if you wanted to. In short, if to worry about scrapers you need a far more advanced back-end (and it won't be a 10)% solution)... or you can just not worry.
  • Bruno Reis
    Bruno Reis over 3 years
    "you pay for Cloudfront's data usage instead of S3's. And at higher volumes it's a lot cheaper." -- HUGE caveat here is that the request pricing on CloudFront is considerably more expensive than S3's, so the attacker could just send ton of requests (and even cancel them, to not have to actually receive the data and not need a lot of bandwidth themselves).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to secure an Amazon S3 URL
Does AWS CLI use SSL when uploading data into S3?
Pricing of Key Pairs and Security Groups on AWS?
No targets available when trying to set alias target from Route 53 to S3
Code: NoSuchBucket
how appoint a subdomain for a s3 bucket?
How to close Boto S3 connection?
Amazon S3 files access policy based on IP Address
Redirect to index.html for S3 subfolder
How do I redirect a naked (apex) domain to www using Route 53?