Is the S3 Protocol encrypted in transmission when using the SDK? - ssl

if I'm using the AmazonS3Client to put and fetch files, is my connection encrypted? This seems basic, but my googling seems to return things about encrypting the S3 storage and not whether the transmission from this client is secure. If it's not secure is there a setting to make it secure?

Amazon S3 endpoints support both HTTP and HTTPS. It is recommended that you communicate via HTTPS to ensure your data is encrypted in transit.
You can also create a Bucket Policy that enforces communication via HTTPS. See:
Stackoverflow: Force SSL on Amazon S3
Sample policy: s3BucketPolicyEncryptionSSL.json

Related

Can Flink send files with sink specific S3 Server Side Encryption Headers?

Trying to send records to Amazon S3 with Flink: however these records need to be sent with an AES256 SSE header to request server side encryption
see aws documentation:
If you need server-side encryption for all of the objects that are stored in a bucket, use a bucket policy. For example, the following bucket policy denies permissions to upload an object unless the request includes the x-amz-server-side-encryption header to request server-side encryption:
Is this something that can be set for specific file sinks? have not found any documentation on the matter and beginning to think a forwarding lambda will be needed to transform the data.

aws s3 and cloudfront process cookie

I have a problem about s3 and cloudfront process cookie.
My client web is set on s3 with cloudfront, and server is set on beanstalk(node.js+express).
I need to send a jwt token from server to client through 'cookie' (code: res.cookie(token)).
It all woks on local. But after I deploy on aws, I cannot get any cookie from server. I find that aws doc says
"Amazon S3 and some HTTP servers don’t process cookies. Don’t
configure CloudFront to forward cookies to an origin that doesn’t
process cookies, or you’ll adversely affect cacheability and,
therefore, performance."
Is there any possible solution with revising cloudfront cookies setting? or I need to change my server code that not send token with cookies?

I have an SSL everywhere site and I'm getting errors pulling content from my azure video streaming service

I'm using SSL in my whole site so I get errors when I pull video streaming content from my azure media services account. All of the urls I get for origin server streaming content when I publish are http. I need them to be https. Is there anyway I can configure the origin service or something I can do before I publish to make the service serve these requests with SSL?
Unfortunately Windows Azure Media Services (WAMS) doesn't support Https.
The formats for streaming, like HLS, are actually transfer formats like Http. HLS doesn't by nature support HTTPS. Instead it has other content protection mechanisms, WAMS uses HLS + 128-bit AES. All of the content transferred in the stream is encrypted by AES.
Depending on your security requirements, you shouldn't need to serve the requests with https. The request that retrieves the origin locator url should be https already, the request that stores it in your database should be https, the request that provides the url to a client should be https, so with the default AES encryption it's entirely secure.

Is there a way to configure Azure blob storage to use my domain SSL certificate?

I have my application running http. Some content is at mydomain.com and some content is stored in blob storage with a custom domain setup of media.mydomain.com. This is all working perfectly. Now when I start working on SSL support, I get warnings that I requested content from media.mydomain.com but received content from (standard blob storage url). I've read through the tutorials and guides and none of them seem to touch on SSL.
Is there a configuration in the container somewhere to install my certificate? Or am I forced to load SSL content from the standard content URL instead of my custom domain?
Windows Azure Blob storage does support HTTPs endpoint so blobs can be accessed over HTTPS however you can not add your own or 3rd party SSL certificate to your Windows Azure Blob Storage endpoint.

How to Configure SSL for Amazon S3 bucket

I am using an Amazon S3 bucket for uploading and downloading of data using my .NET application. Now my question is: I want to access my S3 bucket using SSL. Is it possible to implement SSL for an Amazon s3 bucket?
You can access your files via SSL like this:
https://s3.amazonaws.com/bucket_name/images/logo.gif
If you use a custom domain for your bucket, you can use S3 and CloudFront together with your own SSL certificate (or generate a free one via Amazon Certificate Manager): http://aws.amazon.com/cloudfront/custom-ssl-domains/
Custom domain SSL certs were just added today for $600/cert/month. Sign up for your invite below:
http://aws.amazon.com/cloudfront/custom-ssl-domains/
Update: SNI customer provided certs are now available for no additional charge. Much cheaper than $600/mo, and with XP nearly killed off, it should work well for most use cases.
#skalee AWS has a mechanism for achieving what the poster asks for, "implement SSL for an Amazon s3 bucket", it's called CloudFront. I'm reading "implement" as "use my SSL certs," not "just put an S on the HTTP URL which I'm sure the OP could have surmised.
Since CloudFront costs exactly the same as S3 ($0.12/GB), but has a ton of additional features around SSL AND allows you to add your own SNI cert at no additional cost, it's the obvious fix for "implementing SSL" on your domain.
I found you can do this easily via the Cloud Flare service.
Set up a bucket, enable webhosting on the bucket and point the desired CNAME to that endpoint via Cloudflare... and pay for the service of course... but $5-$20 VS $600 is much easier to stomach.
Full detail here:
https://www.engaging.io/easy-way-to-configure-ssl-for-amazon-s3-bucket-via-cloudflare/
It is not possible directly with S3, but you can create a Cloud Front distribution from you bucket. Then go to certificate manager and request a certificate. Amazon gives them for free. Ones you have successfully confirmed the certification, assign it to your Cloud Front distribution. Also remember to set the rule to re-direct http to https.
I'm hosting couple of static websites on Amazon S3, like my personal website to which I have assigned the SSL certificate as they have the Cloud Front distribution.
If you really need it, consider redirections.
For example, on request to assets.my-domain.example.com/path/to/file you could perform a 301 or 302 redirection to my-bucket-name.s3.amazonaws.com/path/to/file or s3.amazonaws.com/my-bucket-name/path/to/file (please remember that in the first case my-bucket-name cannot contain any dots, otherwise it won't match *.s3.amazonaws.com, s3.amazonaws.com stated in S3 certificate).
Not tested, but I believe it would work. I see few gotchas, however.
The first one is pretty obvious, an additional request to get this redirection. And I doubt you could use redirection server provided by your domain name registrar — you'd have to upload proper certificate there somehow — so you have to use your own server for this.
The second one is that you can have urls with your domain name in page source code, but when for example user opens the pic in separate tab, then address bar will display the target url.
As mentioned before, you cannot create free certificates for S3 buckets. However, you can create Cloud Front distribution and then assign the certificate for the Cloud Front instead. You request the certificate for your domain and then just assign it to the Cloud Front distribution in the Cloud Front settings. I've used this method to serve static websites via SSL as well as serve static files.
For static website creation Amazon is the go to place. It is really affordable to get a static website with SSL.