Presigned S3 URL with client side encryption

1
votes

I have searched for a long time but see noone has below scenarios so very appreciate if someone can help.

We want to download big file using S3 presigned URL but we are using client side encryption using KMS, for security reason, to upload file.

One of the option is to use AWS Encryption SDK to encrypt file in browser, upload to S3 in backend then decrypt it in browser after getting file from presigned URL. But i am concerned about credential exposure in user browser. In AWS docs https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/js-examples.html()

Begin by providing your credentials to the browser. The AWS Encryption SDK for JavaScript examples use the webpack.DefinePlugin, which replaces the credential constants with your actual credentials. But you can use any method to provide your credentials. Then, use the credentials to create an AWS KMS client.

  1. Do you have any solution to this ?
  2. If using AWS SDK, anyway to avoid credential exposure if users use F12 ?
1
javascriptamazon-s3encryptionpre-signed-url

1 Answers

0
votes

But i am concerned about credential exposure in user browser.

Using the client side encryption it is assumed the encrypted secret is random and unique/specific to the content (using the envelope encryption).

So if the client is entitled to the content (to be downloaded), then it may ok to give the client the key to decrypt the content (you may consider the key as part of the content) . The key (data key) must not be used to decrypt anything else.