2025-07-26 –, Track 1
AWS presigned URLs have become a popular way to provide secure and sane access to S3 buckets and other resources. But the security of presigned URLs greatly relies on the implementation and integrations made with individual systems, and simple mistakes can result in unwittingly signing sensitive data away to an attacker. As S3 buckets continue to be an abundant source of low hanging fruit for threat actors, we discover that presigned URLs might not be the silver bullet that S3 security needs.
In this talk, I will cover the cardinal sins that can be committed when implementing presigned access to S3 buckets, the resulting attacks that can arise from these mistakes, and how developers can best avoid them.
Presentation Outline:
-
Introduction
- A brief introduction to AWS presigned URLs and what problems they aim to solve for S3 access. The various types of implementations will be discussed, briefly touching on some past S3 flaming disasters, and how presigned URLs provide - in theory - a means to prevent such issues from ever occurring. -
Security holes
- A more formal classification of the mistakes that can be made when implementing access via presigned URLs will be provided. This will cover oversights that can be made when architecting solutions using presigned URLs, assumptions leading to security holes, and touch on how the shared responsibility model can cause a lot of issues when such assumptions are made.
- What can go wrong, and what the impact of this could be from a technical and business perspective will be covered, providing some contextual and realistic examples of how mistakes in implementing presigned URLs can lead to ruin.
- Lastly for this section of the talk, a dive into different types of attacks against presigned URLs that exploit weaknesses in implementation will be done. -
Regaining sanity
- Exploration into the mitigations against the aforementioned issues and introduce a simple sanity check for implementation that developers can use to safeguard their applications. -
Cleaning up the mess + Conclusion
- A brief dive into incident readiness for S3 and what measures should be set up to prepare for an S3 related incident. This will include a conclusion on the contents of the talk and touch on other hardening measures that can be taken with S3 buckets to improve their security.
This talk will be a combination of industry specific knowledge and my own research conducted into securing presigned URL implementations. This will aim to provide a more formal classification of insecure implementations of presigned URLs mapped to attacks and their consequences.
Key Takeaways:
- Understanding how to secure presigned URLs
- Attendees will gain a strong understanding of the simple security pitfalls that can have major consequences when implementing presigned URLs
- Identifying and mitigating risks:
- The talk will aim to classify the mistakes typically made and the issues these cause to allow developers to quickly identify problematic implementations
- In addition to this, the talk will provide an idea of risk mitigation and how this can be further tailored into a more comprehensive incident readiness strategy for S3 specifically
I'm a cloud security consultant at MWR CyberSec.
I started my journey breaking web applications, and from there focused on Network Security and Active Directory hacking before migrating over to the wide world of cloud security. I also make educational cybersecurity videos on my youtube channel, PoppinShells, which is a side hobby of mine.