Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Access AWS services with "Anonymous" URLs?

0

I would like to protect users of my app from being associated with each other via external network monitoring. For example, when I use the standard URL to access S3 storage, the bucket name is the subdomain of the URL and is observable in DNS requests:

https://<bucket>.us-east-1.amazonaws.com/<path>/<object>

In contrast, a similar request for Firebase Storage uses a generic storage domain with project-specific information in the query or path portions of the URL:

https://firebasestorage.googleapis.com/v0/b/<bucket>/o/<path>/<object>

Is there a way to access AWS services similarly? Primarily for S3 and API Gateways.

Topics
ServerlessFront-End Web & MobileNetworking & Content DeliveryStorage
Tags
Amazon API GatewayStorage
Language
English
asked a year ago145 views
1 Answer
0

While AWS S3 doesn't offer a built-in solution exactly like Firebase Storage for anonymous URLs, there are several approaches you can consider to achieve similar privacy and security goals for your application:

  1. CloudFront Distribution: You can set up an Amazon CloudFront distribution in front of your S3 bucket. This allows you to serve content from a generic CloudFront domain (e.g., d1234abcd.cloudfront.net) instead of the S3-specific URL. You can configure Origin Access Control (OAC) to ensure that the S3 bucket can only be accessed through CloudFront.

  2. Custom Domain: If you want even more control over the URL, you can use a custom domain with CloudFront. This allows you to serve content from a domain of your choice, completely masking the AWS infrastructure behind it.

  3. API Gateway: For more complex scenarios or when you need additional processing, you can use Amazon API Gateway as a proxy to your S3 bucket. This allows you to create custom endpoints that don't reveal the underlying S3 bucket name. You can then use Lambda functions to handle the S3 operations if needed.

  4. Presigned URLs: While not exactly "anonymous," you can generate presigned URLs for S3 objects. These URLs are temporary and don't reveal the bucket name in the domain portion of the URL. However, they do include it as part of the path.

  5. VPC Interface Endpoints: If your application is running within AWS, you can use VPC interface endpoints for S3. This allows you to access S3 using private IP addresses, which can help in scenarios where you want to avoid public DNS queries for the bucket name.

For API Gateway specifically, you already have more control over the URL structure. You can set up custom domain names for your API Gateway endpoints, effectively masking the AWS-specific portions of the URL.

It's important to note that while these methods can help obscure the AWS-specific information in URLs, they don't provide complete anonymity. Network monitoring could still potentially correlate requests based on other factors. For the highest level of privacy, you may need to combine these techniques with additional security measures like encryption and proper access controls.

Sources
Access S3 bucket object using direct URL and not through CLI | AWS re:Post
Secure S3 Bucket Access | AWS re:Post
AWS PrivateLink for Amazon S3 - Amazon Simple Storage Service
How to access the (cloudfront) s3 objects without pre-signed url | AWS re:Post

answered a year ago
  • johnh
    a year ago

    Pretty good answer for AI actually, but as noted at the end, none of the proposed solutions solve the problem of all clients hitting the same app-specific domain for one reason or another.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content