Amazon S3 Security - How To Protect Your Files

by Wilson Mattos

Amazon's Simple Storage Service (S3) is a popular service for storing and delivering digital content on the Internet. S3 is extremely reliable, scalable and with the right tools in place, very easy to use. Amazon has eliminated all barriers to entry -- no lengthy service contract, virtually unlimited storage & bandwidth, and an affordable cost structure. Getting started with Amazon S3 could not be easier. All you need is an Amazon.com account.

Exposed Assets – The Problem with Using S3 The Wrong Way

When used properly, S3 is a very secure platform for content distribution. Unfortunately, most users are not aware of how to properly implement S3 security to protect their content. Instead, they leave their content exposed!

Most users get started with S3 by reading or watching a video tutorial that teaches a few basic steps to uploading content and setting the permissions (ACL) to be "Read by Everyone." This last step is what exposes their content and bandwidth to theft. You see, by default, any file you upload to S3 is only accessible by the owner of the file. However, in order to make files accessible over the web, users are told that they need to make the file "Readable by Everyone." Let me give you a real life example of why this is wrong and should not be done for content you want to protect.

Let's say that I run a paid membership site and use S3 to store and deliver videos to my paid members. Unfortunately, every tool available to embed videos on my site requires that I set the file permissions (ACL) to be "Readable by Everyone." This means that when I embed the video, anyone can view the "page source" for my site and grab the direct URL of the video. One of my members does this, and sends the link to a friend who can now download my video without ever my membership fees. This is the theft I referred to above. Although it is bad, it gets worse.
Another user decides that he wants to capitalize on my premium content, so this time, instead of just downloading my video, he is going to use the URL to my video, stored on S3, and embed the video on his own membership site. Now my content is not only being stolen, but I am also being charged for the bandwidth usage every time someone watches MY video while visiting HIS site. This is the REAL THREAT.

In the above example, I discussed a membership site and videos. However, any file for which you set the permissions (ACL) to "Readable by Everyone" is vulnerable to this type of attack.

The Solution

Although the solution is quite simple, it is not very well understood by most. It is called "Query String Authentication." Using the "Query String Authentication" feature, you can embed content on your site without ever making the file permissions (ACL) "Readable by Everyone."
Implementation of this feature does require the use of PHP, however, it is not at all difficult to implement, even if you have no programming knowledge. Unfortunately, all of the documentation provided by Amazon is written for experienced developers and does not provide step-by-step instructions that are easy to follow. Fortunately, there is now a resource to teach you exactly how to use this feature, step-by-step.

A few months ago, I hosted a free webinar to teach attendees how to properly use Amazon S3 to keep their content secure. The webinar covered a wide array of topics, ranging from basic to advanced (ex: how to set up an S3 account; free tools for managing your account; implementing "Query String Authentication" with exact code samples; and much more). The webinar is 90 minutes long (including 60+ minutes of instruction followed by audience Q&A).

If you are interested in obtaining a copy of the webinar recording to learn how to implement these features, you can purchase it from here: Amazon S3 Tutorial


Cloudberry Labs has obtained a temporary exclusive license to provide this webinar free of charge to our customers! This offer is only valid until 11:59PM on July 16th, 2009 (Pacific Time). You can download the recording (98Mb) and the additional notes.

If you would like to discuss the contents of this article, you can follow the author on Twitter and start a conversation