question on S3 good practices
I'm storing files (UUID + extension) on a bucket, data is not confidential but should not be public
is it a big security/privacy issue is I set the bucket policy to public?
I'm storing files (UUID + extension) on a bucket, data is not confidential but should not be public
is it a big security/privacy issue is I set the bucket policy to public?
This is Mur 
@duponin
depends upon what level of privacy you are aiming for
@mur2501 this is mainly a private application, URL with link to S3 would not be publicly available
the only thing that goes to me is an enumeration bruteforce if the bucket URL leaks
the policy I used:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicRead",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET/*"
}
]
}
Follow
@duponin
Maybe bruteforce yourself and see how much of a threat it is
https://github.com/craighays/bucketkicker
otherwise you can just keep the bucket private
I noticed s3cmd can sign a string, so maybe I can generate a temporary token that the client would use and regenerate
it would keep the bucket private with time-limited access