django-s3-storage
django-s3-storage copied to clipboard
etianen
Valid use of AWS_S3_BUCKET_AUTH and AWS_S3_PUBLIC_URL
When using Cloudfront as a CDN, it is possible to have your S3 bucket be private, but give permission to Cloudfront to serve files from it. This isn't currently possible with django-s3-storage because the combination of those settings raises an ImproperlyConfigured error. If you have the S3 bucket public access block setup, uploads with public-read set will be denied.
One reason you might want to configure it this way is to pass the AWS Foundational Security Controls check: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2
In this setup, would Cloudfront still require the auth parameters to be set in the URL? Or would cloudfront provide public access to all the files?
On Thu, 27 Aug 2020 at 16:38, Peter Baumgartner [email protected] wrote:
When using Cloudfront as a CDN, it is possible to have your S3 bucket be private, but give permission to Cloudfront to serve files from it https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-access-to-amazon-s3/. This isn't currently possible with django-s3-storage because the combination of those settings raises an ImproperlyConfigured error. If you have the S3 bucket public access block https://docs.aws.amazon.com/AmazonS3/latest/dev/access-control-block-public-access.html setup, uploads with public-read set will be denied.
One reason you might want to configure it this way is to pass the AWS Foundational Security Controls check: https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-s3-2
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/etianen/django-s3-storage/issues/114, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABEKCFHJFEVMNUI63T2UM3SCZ4WTANCNFSM4QNEFYOA .
Cloudfront does not require auth parameters, they are open for public access. It makes the security control more security theater than an actual security control, but in audits, sometimes that's needed :/
So the bucket is private, but everything in it is public via cloudfront. My goodness. Better encrypt it all at rest too! Using a 8196 bit key! *And scan it for viruses!!! *:P
So basically, to make this work, you need to remove the ImproperlyConfigured error and allow both settings to be used in combination? I only put in that check to avoid a footgun, but since shooting your own foot off is desired in this case, I'd be happy to take a MR to enable this highly dubious bit of functionality. :D
I too have to deal with ridiculous audits, so no worries.
On Thu, 27 Aug 2020 at 17:41, Peter Baumgartner [email protected] wrote:
Cloudfront does not require auth parameters, they are open for public access. It makes the security control more security theater than an actual security control, but in audits, sometimes that's needed :/
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/etianen/django-s3-storage/issues/114#issuecomment-682062421, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABEKCHEFQ263IBK67OESLTSC2EDZANCNFSM4QNEFYOA .