Presigned URL for private S3 bucket displays AWS access key id and bucket name. Is this a security issue?

python amazon-web-services amazon-s3 flask boto3

"Manage your access keys as securely as you do your user name and password."

Your username isn't typically a secret, and the same thing goes for the AWS Access Key ID.

The sensitive value is the access key secret. Both values are useless without the other, but the model is designed to treat the ID (the value starting with AKIA) as the non-sensitive value of the two. Exposing these in signed URLs is acceptable.

The signature also isn't sensitive, since it is not computationally feasible to reconstruct the secret key from the information embedded in a signed URL... but the signature also does not contain enough information for the service to be able to determine who tried to authorize the request... which is why the Access Key ID is included in the signed URL.

In fact, to be precise, the signature doesn't really contain any information at all. The service, internally, looks up your secret key from the provided access key ID and regenerates the same signed URL using your credentials. If it gets the same answer as provided in the URL's signature, the request is valid, otherwise the request is rejected.

CodeHunter

Presigned URL for private S3 bucket displays AWS access key id and bucket name. Is this a security issue?

Recent Posts

How can I color dots in a xy scatterplot according to column value?

How to update a claim in ASP.NET Identity?

What does {0} mean when initializing an object?

Accessing members of items in a JSONArray with Java

How to log SQL statements in Spring Boot?

Powershell Get-WebSite name parameter is ignored

How to detect scroll to bottom of html element

Java synchronized method

How to test controllers with CodeIgniter?

Detect Visual Composer

Matplotlib: Specify format of floats for tick labels

Rails join a list of strings with commas and "and" before the last