Valid use of AWS_S3_BUCKET_AUTH and AWS_S3_PUBLIC_URL #114
Comments
|
In this setup, would Cloudfront still require the auth parameters to be set
in the URL? Or would cloudfront provide public access to all the files?
…On Thu, 27 Aug 2020 at 16:38, Peter Baumgartner ***@***.***> wrote:
When using Cloudfront as a CDN, it is possible to have your S3 bucket be
private, but give permission to Cloudfront to serve files from it
<https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/>.
This isn't currently possible with django-s3-storage because the
combination of those settings raises an ImproperlyConfigured error. If
you have the S3 bucket public access block
<https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html>
setup, uploads with public-read set will be denied.
One reason you might want to configure it this way is to pass the AWS
Foundational Security Controls check:
https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#114>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABEKCFHJFEVMNUI63T2UM3SCZ4WTANCNFSM4QNEFYOA>
.
|
|
Cloudfront does not require auth parameters, they are open for public access. It makes the security control more security theater than an actual security control, but in audits, sometimes that's needed :/ |
|
So the bucket is private, but everything in it is public via cloudfront. My
goodness. Better encrypt it all at rest too! Using a 8196 bit key! *And
scan it for viruses!!! *:P
So basically, to make this work, you need to remove the
ImproperlyConfigured error and allow both settings to be used in
combination? I only put in that check to avoid a footgun, but since
shooting your own foot off is desired in this case, I'd be happy to take a
MR to enable this highly dubious bit of functionality. :D
I too have to deal with ridiculous audits, so no worries.
…On Thu, 27 Aug 2020 at 17:41, Peter Baumgartner ***@***.***> wrote:
Cloudfront does not require auth parameters, they are open for public
access. It makes the security control more security theater than an actual
security control, but in audits, sometimes that's needed :/
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#114 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABEKCHEFQ263IBK67OESLTSC2EDZANCNFSM4QNEFYOA>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using Cloudfront as a CDN, it is possible to have your S3 bucket be private, but give permission to Cloudfront to serve files from it. This isn't currently possible with
django-s3-storagebecause the combination of those settings raises anImproperlyConfigurederror. If you have the S3 bucket public access block setup, uploads withpublic-readset will be denied.One reason you might want to configure it this way is to pass the AWS Foundational Security Controls check: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2
The text was updated successfully, but these errors were encountered: