How to secure an amazon S3 Bucket?

mikejones

I recently received this email from amazon:

We are writing to notify you that you have configured your S3 bucket(s) to be publicly accessible, and this may be a larger audience than you intended. By default, S3 buckets allow only the account owner to access the contents of a bucket; however, customers can configure S3 buckets to permit public access. Public buckets are accessible by anyone on the Internet, and content in them may be indexed by search engines.

We recommend enabling the S3 Block Public Access feature on buckets if public access is not required. S3 bucket permissions should never allow “Principal”:“*” unless you intend to grant public access to your data. Additionally, S3 bucket ACLs should be appropriately scoped to prevent unintended access to “Authenticated Users” (anyone with an AWS account) or “Everyone” (anyone with Internet access) unless your use case requires it. For AWS’s definition of “Public Access,” please see The Meaning of "Public” [1].

I have my S3 bucket public so user can upload pictures from my flarum. Is this secure? Or is there more I can do with my flarum to make sure you can only upload images from the flarum itself?

phenomlab

mikejones I have my S3 bucket public so user can upload pictures from my flarum. Is this secure? Or is there more I can do with my flarum to make sure you can only upload images from the flarum itself?

As detailed in the thread you referenced, you’ll need an ACL to govern who can upload and download. Ideally, it’s your webserver only that has this ability to prevent abuse.

mikejones

Looks like someone already asked this question here: https://metabullet.com/d/23-amazon-bucket-settings-for-fofupload

reading through that one now 👍️