By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Can an S3 presigned URL's credentials be used to access other resources?

0

I need to generate an S3 presigned URL from a Lambda function so that the requester can download an S3 object. This Lambda function's role has permissions to do various things in order to accomplish its function.

If I generate the presigned URL with the Lambda role's credentials, could the credentials embedded in the presigned URL be used to access other resources accessible to the Lambda role, whether that is another object in S3 or any other service? Because I only want to grant access to the object in question, I'm wondering whether I need to assume a scoped role when generating the presigned URL or if the Lambda role is sufficient.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Managementpresigned URL
Language
English
profile picture
Jeff Gardner
asked 6 months ago641 views
2 Answers
2

Hi,

The capabilities given to a pre-signed URL are extremely precisely defined there:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html

You can use presigned URLs to grant time-limited access to objects in Amazon S3 without updating your bucket policy. A presigned URL can be entered in a browser or used by a program to download an object. The credentials used by the presigned URL are those of the AWS user who generated the URL.

You can also use presigned URLs to allow someone to upload a specific object to your Amazon S3 bucket. This allows an upload without requiring another party to have AWS security credentials or permissions. If an object with the same key already exists in the bucket as specified in the presigned URL, Amazon S3 replaces the existing object with the uploaded object.

You can use the presigned URL multiple times, up to the expiration date and time.

When you create a presigned URL, you must provide your security credentials, and then specify the following:

An Amazon S3 bucket

An object key (if downloading this object will be in your Amazon S3 bucket, if uploading this is the file name to be uploaded)

An HTTP method (GET for downloading objects or PUT for uploading)

An expiration time interval

and here: https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html#who-presigned-url

Anyone with valid security credentials can create a presigned URL. But for someone to successfully access an object, the presigned URL must be created by someone who has permission to perform the operation that the presigned URL is based upon.

The following are the types of credentials that you can use to create a presigned URL:

IAM instance profile – Valid up to 6 hours.

AWS Security Token Service – Valid up to maximum 36 hours when signed with long-term security credentials or the duration of the temporary credential, whichever ends first.

IAM user – Valid up to 7 days when you're using AWS Signature Version 4.

When you combine the two, it's quite clear: pre-signed URLs work only on S3 objects for a limited duration of time and based on the fact that the pre-signed URL cannot grant more rights that those owned by the creator (who can further limit down: I can presign a URL for read only when I have write access)

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 6 months ago
  • Jeff Gardner
    6 months ago

    Thanks for your response. I understand that the presigned URL cannot grant more rights than those owned by the creator, my question is whether the credentials from the presigned URL can be used to take another action that the creator's permissions allow.

    For example, my Lambda's role allows it to read all objects in a bucket, but I want to give access to a single object via presigned URL. Can the presigned URL's credentials be used to read any object in that bucket? I tried changing the key in the URL and it returned an error but I want to confirm there is not a technique I'm unaware of.

1
Accepted Answer

Short answer, no.

The credentials used to sign the presigned URL are in two parts: access key and secret access key. You'll notice that the access key is included in the presigned URL but the secret access key is not. That's because for all API requests (presigned URLs included) the secret access key is used to sign the request but is not transmitted with it.

In order to create another presigned URL (or any other API request) the holder of the access key (which includes the person with the presigned URL) needs to know the secret access key in order to sign the request. So you can't create another presigned URL from an existing one without knowing the secret access key.

With that said: We always encourage the idea of "least privilege access". Here, if you're creating a presigned URL for read requests to a specific bucket it makes sense to use an access key/secret access key combination that has only those permission - it can only read from the bucket. In the event that the secret access key is leaked then the ability for an attacker to perform other tasks is limited.

profile pictureAWS
EXPERT
Brettski-AWS
answered 6 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content