Amazon S3 storage: possible to list public folders in a private bucket?

1
votes

I have a Amazon S3 Bucket with all settings in the default mode. When I go to my Bucket Permissions tab and look to the section Public access / Everyone, all options are empty, so everything is private.

Now I make a folder with a very long random sha1-hash, I upload some files and subfolders in this folder and make the whole folder public. Is it possible to detect (list) this folder?

When I go to my bucket in the browser https://s3.xxx.amazonaws.com/my-private-bucket and I see: <Code>AccessDenied</Code>.

That looks good. But maybe there is another way to detect my public folder?

1
amazon-web-servicesamazon-s3

1 Answers

1
votes

If your Bucket Policy is merely granting s3:GetObject for that folder, then there should be no public indication that the folder exists. However, various systems might log access to those objects as the request from your users traverses the Internet to get to Amazon S3. You should, at a minimum, use HTTPS to access the objects.

See: TechnoSophos: Allow only HTTPS on an S3 Bucket

Please note that Security through obscurity - Wikipedia is generally considered to be a poor form of security since anyone with knowledge of a link to a file can access the file. Do not use 'hidden folders' as a form of security for sensitive information.

The preferred method to grant access only to authorized people is to have an application authenticate a user's identity, then have it generate Amazon S3 pre-signed URLs, which grant time-limited access to an object in Amazon S3.