DEV Community

Cover image for How to use AWS S3 pre-signed URLs to upload and download files

How to use AWS S3 pre-signed URLs to upload and download files

Sohail Jafri on March 18, 2024

So, this month we landed a new client for whom we must keep track of distributor's and doctor's orders and sales. The client had a requirement to k...
Collapse
 
manchicken profile image
Mike Stemle

There are a number of security problems here.

Never user plaintext AWS credentials

  1. You shouldn't have plaintext AWS credentials in memory for your running web server. If you do, and someone is able to successfully inject code into your running server process, or otherwise dump heap, they could exfiltrate your credentials
  2. Using plaintext credentials like this is often a recipe for never changing the credentials, which increases the harm an attacker could cause if those credentials are ever leaked.
  3. If you're running your server in AWS, an execution role or instance profile should attach to an IAM policy document which gives you access. It is significantly safer to use IAM roles and STS than it is to use IAM users.
  4. AWS IAM best practices discourage the use of IAM users: docs.aws.amazon.com/IAM/latest/Use...

Don't have public buckets

AWS is usually pretty clear about the risks of not having buckets configured to block all public access. It is far more secure to have your users upload the file to a server which then performs an s3:PutObject call.

If someone is able to get your service to give them signed URLs for uploading contents, you may very quickly find harmful files uploaded to your bucket.

Your CORS settings invite SSRF and CSRF

Your axios error handling is insecure

The axios module includes all authorization headers in the error object it returns, so your console.error() will log sensitive information.

Finally, you're using the old version of the AWS SDK

AWS-SDK v2 is being deprecated soon: aws.amazon.com/blogs/developer/ann...

The V3 of the SDK is pretty easy to use, and the nice thing about the change is that it's going to be similarly functional across all of the various libraries (e.g. Rust, Java, JavaScript), using similar patterns. Gone will be the days of language-specific AWS SDK patterns.

Collapse
 
thesohailjafri profile image
Sohail Jafri

Damn, thank you, I really mean it. Thats a lot to take but I will study one by one on the points you mentioned and try to improve my practice in existing and upcoming projects 🤝🙌😬

Collapse
 
thesohailjafri profile image
Sohail Jafri

During the production setup mostly the API routes stay under the auth middleware but I guess I can move the entire logic on the server which will take a single/multiple files and return the uploaded paths to keep it modular this I don't compose my bucket in any way

Collapse
 
manchicken profile image
Mike Stemle

I very much appreciate you receiving that well. Security is hard, and security in the cloud is harder. There are a lot of tools but it's really hard to keep up with all of them.

If it helps, I never use IAM users. For humans, we should use federated authentication using something like Okta, or Auth0, and for infrastructure running code in AWS we should use execution roles or instance profiles.

Nobody can steal credentials which do not exist, or (in the case of AWS STS) are ephemeral and expire quickly.

Thread Thread
 
thesohailjafri profile image
Sohail Jafri

Okay understood, I will try to practice using okta or Auth0 for future projects

Thread Thread
 
leewynne profile image
Lee Wynne

Wholesome exchange right here.... Love this community 🙌

Collapse
 
mrhiden profile image
Marek Krzyżowski • Edited

@manchicken
1) So how should I store them? How do you store them?

Collapse
 
manchicken profile image
Mike Stemle

Fetch them at runtime and discard them when you no longer need them. Also, use instance profiles and STS when possible, avoiding having long-lived secrets in the first place.

In 2024, there is no good reason to rely on access tokens and user passwords in AWS.

Thread Thread
 
mrhiden profile image
Marek Krzyżowski

Thnks. It is not my decision to use S3.

Collapse
 
leewynne profile image
Lee Wynne

Nice share! 🙌

Collapse
 
thesohailjafri profile image
Sohail Jafri

Thanks lee

Collapse
 
therahulchaurasia profile image
Rahul Chaurasia

I read multiple articles related to aws signed urls and I would say that this one pieces them togehter.
Good read!

Collapse
 
thesohailjafri profile image
Sohail Jafri

Thanks brother, I will try to update the article with more details on security

Collapse
 
sahilchaubey profile image
sahilchaubey03

Great article bother..... Helped me a lot

Collapse
 
pratham_2203 profile image
Prathamesh Ethiraj

Best article ever i went through 💯