You may have received an email from Amazon recently that talked about the security on your Amazon S3 account. Don’t worry about the email – any issues are easily fixed, and this article will explain how to make a small change to your Amazon S3 account settings so that the security issue they mention is plugged.
What Did The Amazon S3 Email Mean?
Amazon S3 is a low cost place to keep all your images, videos and other files. Many people, including ourselves and many of our clients use Amazon S3 to host the images that appear on our websites. Especially if you use WordPress, Amazon S3 is a much better place to keep your images than on your own website server.
But due to the popularity of Amazon S3, dishonest people on the web have realized they can write programs to scan Amazon S3 for files that belong to people like you and me, and then publish links to these files on sites they’ve set up for the purpose. What then happens is that other people, finding those links will download the images, videos etc and essentially do this without having visited your site. You get to pay Amazon for their access to your images and other files, without the benefit of them having seen your stuff in context – i.e. on your own website.
I’m Using Amazon S3 to Host My Website’s Images – What Can I Realistically Do?
If you’re using Amazon S3 to host images for your publically available website (as most of us are), you can’t restrict access to each image. That would mean the general public who visit your site would not be able to see your images. However, to prevent unscrupulous people scanning your site for Amazon hosted images you can take the following steps.
- Set up a CNAME for images on your DNS so that the URL to the image does not expose the fact that the image is held on Amazon. So for example, rather than referring to an image as :
where it is clear for everyone to see that your images are hosted on Amazon, you would write this instead :
- Next, you need to visit your Amazon S3 account and check that the folder (bucket) protection where your images are held has “everyone” unchecked. In other words, make sure that the buckets on Amazon S3 are not set up with public (or everyone) access. Only the files within the buckets need ve set up for public access.
If you are one of our clients (Devon Web Designers or Power Blog Service), your CNAME is already set up and you should already be using it. All you need to do is check that the Amazon S3 buckets are set to no read access to the public. This will ensure your Amazon account can’t be routinely scanned, but will still allow your images to be viewed.
This is the first level defense – the other and more robust way to avoid people placing links to your images from their websites is to set up a Bucket Policy.