How to prevent brute force file downloading on S3?

Question

I'm storing user images on S3 which are readable by default.

I need to access the images directly from the web as well.

However, I'd like to prevent hackers from brute forcing the URL and downloading my images.

For example, my S3 image url is at http://s3.aws.com/test.png

They can brute force test and download all the contents?

I cannot set the items inside my buckets to be private because I need to access directly from the web.

Any idea how to prevent it?

Answer 1

Using good security does not impact your ability to "access directly from the web". All content in Amazon S3 can be accessed from the web if appropriate permissions are used.

By default, all content in Amazon S3 is private.

Permissions to access content can then be assigned in several ways:

• Directly on the object (eg make an object 'public')
• Via a Bucket Policy (eg permit access to a subdirectory if accessed from a specific range of IP addresses, during a particular time of day, but only via HTTPS)
• Via a policy assigned to an IAM User (which requires the user to authenticate when accessing Amazon S3)
• Via a time-limited Pre-signed URL

The most interesting is the Pre-Signed URL. This is a calculated URL that permits access to an Amazon S3 object for a limited period of time. Applications can generate a Pre-signed URL and include the link in a web page (eg as part of a <img> tag). That way, your application determines whether a user is permitted to access an object and can limit the time duration that the link will work.

Answer 2

You should keep your content secure, and use Pre-signed URLs to allow access only for authorized visitors to your web site. You do have to write some code to make it work, but it's secure.