Is awsaccesskeyid a secret?

626    Asked by AndrewJenkins in Cyber Security , Asked on Sep 23, 2022

AWS's "Secret Key" is (obviously) a secret, but should an "Access Key" alone (without the corresponding secret key) be considered a secret too?


Answered by Ankit yadav

While the AWSAccessKeyID is like a username (and the Secret Access Key is like a password), the Access Key ID is also designed to be shared and AWS does this explicitly with the AWS Pre Signed Object URL feature as mentioned by John Hanley in a previous comment. This is an expanded response.


AWS Pre Signed Object URLs are shareable links designed to be given to non-authenticated users. The following is a description of AWS Pre Signed Object URLs from AWS docs:

All objects by default are private. Only the object owner has permission to access these objects. However, the object owner can optionally share objects with others by creating a pre-signed URL, using their own security credentials, to grant time-limited permission to download the objects.

Ref: https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

AWS documentation has a lot of code to create the URLs but I couldn't find example URLs. An example Pre Signed Object URL is available in the following CloudBerry Lab guide showing 3 query string parameters including AWSAccessKeyId, Signature and Expires.

https://cloudberry-examples.s3.amazonaws.com/invoices/user1234/july2018.pdf?AWSAccessKeyId=AKIALGKOKBY37F5FZF4I&Signature=bPSs8Kcak/gjEqqjOO5cFS022x0=&Expires=1531446995

Guide: "Using Amazon S3 Pre-Signed URLs for Temporary Object Access"

Guide URL: https://www.cloudberrylab.com/resources/blog/s3-pre-signed-url-guide/



Your Answer

Interviews

Parent Categories