How to securely access a file in the application using s3 bucket URL

Question

In my application we have to open some pdf files in a new tab on click of an icon using the direct s3 bucket url like this:

http://MyBucket.s3.amazonaws.com/Certificates/1.pdf?AWSAccessKeyId=XXXXXXXXXXXXX&Expires=1522947975&Signature=XXXXXXXXXXXXXXXXX

Some how i feel this is not secure as the user could see the bucket name, AWSAccessKeyId,Expiration and Signature. Is this still considered secure ? Or is there a better way to handle this ?

Answer 1

Allowing the user to see these parameters is not a problem because;

1. AWSAccessKeyId can be public (do not confuse with SecretAccessKey)
2. Expires and signature is signed with your SecretAccessKey so no one will be able to manipulate it (aws will validate it against you SecretKey)
3. Since you don't have public objects and your bucket itself is not public, then it is ok to the user knowing your bucket name - you will always need a valid signature to access the objects.

But I have two suggestions for you; 1. Use your own domain, so the bucket is not visible (you can use free SSL provided by AWS if you use CloudFornt), 2. Use HTTPS instead of plain HTTP.

And if for any reason you absolutely dont want your users to see AWS parameters, then I suggest that you proxy the access to S3 via your own API. (though I consider it unnecessary)

Answer 2

I see you access with http (with no SSL). You can do virtual hosting with S3 for multiple domains.

https://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html

and create signed url based on your domain and you are good to go.

If you are using SSL, you can use Cloudfront

and configure cloudfront origin to point to your S3 bucket.

Hope it helps.