{"id":1022,"date":"2024-05-02T16:34:23","date_gmt":"2024-05-02T14:34:23","guid":{"rendered":"https:\/\/old-web.terracloud.fr\/?p=1022"},"modified":"2024-09-02T16:49:18","modified_gmt":"2024-09-02T14:49:18","slug":"les-objets-de-votre-bucket-s3-sont-peut-etre-publics-meme-si-la-console-aws-vous-dit-le-contraire","status":"publish","type":"post","link":"https:\/\/old-web.terracloud.fr\/en\/blog\/2024\/05\/02\/les-objets-de-votre-bucket-s3-sont-peut-etre-publics-meme-si-la-console-aws-vous-dit-le-contraire\/","title":{"rendered":"Your S3 objects could be public (even though the AWS Console doesn't say so)"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"1022\" class=\"elementor elementor-1022\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-25fc9f63 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"25fc9f63\" data-element_type=\"section\" data-e-type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-5bf1ff32\" data-id=\"5bf1ff32\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-1c111a7 elementor-widget elementor-widget-shortcode\" data-id=\"1c111a7\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"shortcode.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-shortcode\"><span><span><a href=\"https:\/\/old-web.terracloud.fr\/en\/\">Home<\/a><\/span><\/span><\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2206bf10 e-transform elementor-widget elementor-widget-heading\" data-id=\"2206bf10\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;_transform_translateX_effect&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;_transform_translateX_effect_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;_transform_translateX_effect_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;_transform_translateY_effect&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;_transform_translateY_effect_tablet&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]},&quot;_transform_translateY_effect_mobile&quot;:{&quot;unit&quot;:&quot;px&quot;,&quot;size&quot;:&quot;&quot;,&quot;sizes&quot;:[]}}\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Your S3 objects could be public (even though the AWS Console doesn't say so)<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-710edf69 elementor-widget__width-initial elementor-widget elementor-widget-heading\" data-id=\"710edf69\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">In this blog post, I'll show a not-so-well known way your objects could mistakenly become public.<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-2f2817ab elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"2f2817ab\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1aa47f0d\" data-id=\"1aa47f0d\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-ac43c57 elementor-widget elementor-widget-image\" data-id=\"ac43c57\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"336\" src=\"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif\" class=\"attachment-large size-large wp-image-1026\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c2c6c96 elementor-widget elementor-widget-text-editor\" data-id=\"c2c6c96\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span>S3 is an amazing storage service, able to durably store data at exabyte scale and present it with single-digit millisecond latency. Though its name stands for \" <\/span><em><span>Simple<\/span><\/em><span> storage service\", its power comes with some risks, one of which is to find your private data has become public.<\/span><\/p><p><span>In this blog post, <\/span><strong><span>I'll show a not-so-well known way your objects could mistakenly become public.<\/span><\/strong><span>.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-c526aae elementor-widget elementor-widget-heading\" data-id=\"c526aae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">How AWS protects your data in S3<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-db6712b elementor-widget elementor-widget-text-editor\" data-id=\"db6712b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span>I'll start with an obvious statement: that S3, as a <\/span><em><span>web service<\/span><\/em><span>, is publicly available (i.e. you can use the S3 API without setting up a VPN) doesn't mean that data <\/span><em><span>have to be<\/span><\/em><span> public.<\/span><\/p><p><span>As a matter of fact, S3 buckets have always been private by default. And since 2018, there has been some additional locks at both account and bucket-level that you can set to explicitly prevent objects from being public even if you mistakenly set a policy that could cause public access. And from April 2023, those are enabled by default at bucket-level.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8e702b1 elementor-widget elementor-widget-image\" data-id=\"8e702b1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"521\" src=\"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/cb_account_settings_5.png\" class=\"attachment-large size-large wp-image-1025\" alt=\"\" srcset=\"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/cb_account_settings_5.png 800w, https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/cb_account_settings_5-300x195.png 300w, https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/cb_account_settings_5-768x500.png 768w, https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/cb_account_settings_5-18x12.png 18w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a60feb6 elementor-widget elementor-widget-text-editor\" data-id=\"a60feb6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>With great power comes great responsibility! AWS shared security model states that the user, who has the power to set policies to enable public access, is then responsible for its good implementation.<\/p><p>Here are the standard ways that can be used to set permissions in S3:<\/p><ol><li><p>Through Access Control Lists. ACLs are not recommended anymore but can still be used to grant access to S3 resources (buckets or objects).<\/p><\/li><li><p>Through Resource-based policies. Each bucket has a policy that can allow (or explicitly deny, which always takes precedence) access to objects. That's the recommended way to proceed, as it's easy to set granular permissions and also to grant access to other AWS accounts or AWS services.<\/p><\/li><li><p>Through IAM Identity-based policies. Make sure not to use <em>action = s3:*<\/em> and <em>resource = *<\/em> !<\/p><\/li><\/ol><p>Any of those permissions can be neutralized <a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/access-control-block-public-access.html\" target=\"_blank\" rel=\"noopener noreferrer\">with the aforementioned \"Public access block\" settings.<\/a>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-266a17f elementor-widget elementor-widget-heading\" data-id=\"266a17f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">So, how could your objects still be public, then?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-68236c3 elementor-widget elementor-widget-text-editor\" data-id=\"68236c3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span>Apart from the well-known (and voluntary) pattern to use CloudFront CDN's distributions to make S3 data publicly available, there are 2 ways that you could inadvertently make your S3 objects public.<\/span><\/p><p><span>The reason why I wanted to make this blog post is that I recently found both those leaks in a client of mine. He had an S3 bucket which was shown as \"public access blocked\" in the AWS Console, but data was leaked by those two security holes.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03aea08 elementor-widget elementor-widget-heading\" data-id=\"03aea08\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Leaked API Access key \/ secret key\n<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a0feca1 elementor-widget elementor-widget-text-editor\" data-id=\"a0feca1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span>The first way data could leak was because my client distributed API access key and secret key in a frontend application. In his case the application was a mobile app, but that's still code that runs at the client side, can be decompiled \/ reverse engineered \/ memory dumped.<\/span><\/p><p><span>The good thing is that AWS proactively scans the web (which, obviously, seems to include application stores vs. just scanning public repositories) for secrets and warned my client that this particular API Key was available.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d6a12c elementor-widget elementor-widget-heading\" data-id=\"1d6a12c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Cognito Identity Pool Unauthenticated Guest feature\n<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c16a47 elementor-widget elementor-widget-text-editor\" data-id=\"4c16a47\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span>The second way is more subtle.<\/span><\/p><p><span>Cognito Identity Pools offer the ability to deliver short-term credentials in exchange for an IDP-issued proof of authentication. That's very useful, for instance to let all people from the marketing department access files in the S3 bucket; or to let user <\/span><code>JohnDoe<\/code><span>access only bucket files that are prefixed by <\/span><code>JohnDoe<\/code><span>.<\/span><\/p><p><span>And because that's sometimes needed (for instance, you may want customers to display an Amazon Location map even if they don't already have an account on your app), Cognito offers the ability to allow unauthenticated guest access, in which case user's are delivered short-term credentials associated to a role of your own choosing.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-17107d9 elementor-widget elementor-widget-image\" data-id=\"17107d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"125\" src=\"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-158rp1ssa85xx5ys3kvs.avif\" class=\"attachment-large size-large wp-image-1027\" alt=\"\" \/>\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8137e00 elementor-widget elementor-widget-text-editor\" data-id=\"8137e00\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span>If the role has s3:* access to the bucket, well... users can do pretty much what they want with your bucket and\/or objects.<\/span><\/p><p><span>Here is how this can be exploited by an attacker that knows just the identity pool id (which has to be distributed in the front-end application) and the AWS account id (which is quite easy to find if the bucket name is also in the front-end code)<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4a77be2 elementor-widget elementor-widget-html\" data-id=\"4a77be2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<pre>\n# Creating a guest identity from the pool\n% aws cognito-identity get-id \\ \n--account-id ACCOUNT-ID_HERE \\\n--identity-pool-id \"REGION:IDENTITY_POOL_ID\" \\\n--region REGION\n\n# AWS API replies with a unique user ID\n{\n    \"IdentityId\": \"REGION:UNIQUE_USER_ID\"\n}\n\n# Then we ask for short-term credentials attached to this identity\n% aws cognito-identity get-credentials-for-identity \\\n--identity-id \"REGION:UNIQUE_USER_ID\" \\\n--region REGION \\\n--output json\n{\n    \"IdentityId\": \"REGION:UNIQUE_USER_ID\",\n    \"Credentials\": {\n        \"AccessKeyId\": \"ASIAY--EDITED-FOR-SECURITY-REASON--4FJ\",\n        \"SecretKey\": \"I4D2SZ4--EDITED-FOR-SECURITY-REASON--v1AwAp\/\",\n        \"SessionToken\": \"IQoJb3JpZ2luX2VjEIz\/\/\/\/\/\/\/\/\/\/wEaCWV1LXdlc3QtMyJHMEUCIQCgXefjo82cstPQSS1WcXALUfmq364unN+Y\/v5sb--EDITED-FOR-SECURITY-REASON--mBbD+AzASKDK\",\n        \"Expiration\": \"2024-04-16T22:17:04+02:00\"\n    }\n}\n# In the next step you can actually make any API call that the `my-role-for-cognito-guests` is granted permissions for.\n<\/pre>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7dd8dea elementor-widget elementor-widget-heading\" data-id=\"7dd8dea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">How to safely grant (download\/upload) access to specific S3 objects without exposing secrets and managing customer identity in AWS \/ Cognito?\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7c4cf39 elementor-widget elementor-widget-text-editor\" data-id=\"7c4cf39\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span>A simple way to deliver this use case is to use <a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/ShareObjectPreSignedURL.html\" target=\"_blank\" rel=\"noopener noreferrer\">S3 pre-signed URLs. <\/a><\/span><strong><span>generated by the backend.<\/span><\/strong> <span>.<\/span><\/p><p><span>With S3 pre-signed URLs, you can execute your own custom application authorisation logic in your backend code and then use an IAM user credentials known only by the backend app to generate a url that you distribute to the client.<\/span><\/p><p><span>Using this URL, the client can perform only the selected operation on this specific object for a period of time you determine, effectively acting like short-terme credentials specific to this client.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7818a22 elementor-widget elementor-widget-heading\" data-id=\"7818a22\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">I'm the Security guy for Corporation X. How can I make sure none of my developers use Cognito Unauthenticated Guest feature?\n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-62e935f elementor-widget elementor-widget-text-editor\" data-id=\"62e935f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><span>Like most compliance checks, you can either:<\/span><\/p><ul><li><span>Scan Cloudtrail logs and look for AllowUnauthenticatedIdentities of the CreateIdentityPool and UpdateIdentityPool API operations<\/span><\/li><li><span>Use AWS Config rules. At the time of writing, there is no AWS-managed rule that supports detecting Cognito Identity Pool Unauthenticated Guest Access (hi there, AWS Service team!) but you can always write your own <\/span><a href=\"https:\/\/docs.aws.amazon.com\/config\/latest\/developerguide\/evaluate-config_develop-rules_nodejs.html\" target=\"_blank\" rel=\"noopener noreferrer\"><span>custom Config Rule<\/span><\/a> <span>relying on Lambda!<\/span><\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>S3 est un service de stockage incroyable, capable de stocker durablement des donn\u00e9es \u00e0 l&rsquo;\u00e9chelle.<br \/>\nDans cet article de blog, je vais vous montrer une mani\u00e8re peu connue par laquelle vos objets pourraient devenir publics par erreur .<\/p>","protected":false},"author":1,"featured_media":1026,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[14,52,51],"class_list":["post-1022","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-aws","tag-s3","tag-securite"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire) - TerraCloud<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire) - TerraCloud\" \/>\n<meta property=\"og:description\" content=\"S3 est un service de stockage incroyable, capable de stocker durablement des donn\u00e9es \u00e0 l&#039;\u00e9chelle. Dans cet article de blog, je vais vous montrer une mani\u00e8re peu connue par laquelle vos objets pourraient devenir publics par erreur .\" \/>\n<meta property=\"og:url\" content=\"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl\" \/>\n<meta property=\"og:site_name\" content=\"TerraCloud\" \/>\n<meta property=\"article:published_time\" content=\"2024-05-02T14:34:23+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-09-02T14:49:18+00:00\" \/>\n<meta name=\"author\" content=\"terracloud\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"terracloud\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/blog\\\/2024\\\/05\\\/02\\\/les-objets-de-votre-bucket-s3-sont-peut-etre-publics-meme-si-la-console-aws-vous-dit-le-contraire\\\/\"},\"author\":{\"name\":\"terracloud\",\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#\\\/schema\\\/person\\\/c84d6bb6d61012fe7510ecd7c4a0407b\"},\"headline\":\"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire)\",\"datePublished\":\"2024-05-02T14:34:23+00:00\",\"dateModified\":\"2024-09-02T14:49:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/blog\\\/2024\\\/05\\\/02\\\/les-objets-de-votre-bucket-s3-sont-peut-etre-publics-meme-si-la-console-aws-vous-dit-le-contraire\\\/\"},\"wordCount\":1241,\"publisher\":{\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/old-web.terracloud.fr\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif\",\"keywords\":[\"aws\",\"s3\",\"s\u00e9curit\u00e9\"],\"articleSection\":[\"Blog\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/blog\\\/2024\\\/05\\\/02\\\/les-objets-de-votre-bucket-s3-sont-peut-etre-publics-meme-si-la-console-aws-vous-dit-le-contraire\\\/\",\"url\":\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl\",\"name\":\"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire) - TerraCloud\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/old-web.terracloud.fr\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif\",\"datePublished\":\"2024-05-02T14:34:23+00:00\",\"dateModified\":\"2024-09-02T14:49:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#primaryimage\",\"url\":\"https:\\\/\\\/old-web.terracloud.fr\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif\",\"contentUrl\":\"https:\\\/\\\/old-web.terracloud.fr\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif\",\"width\":1000,\"height\":420},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/dev.to\\\/aws-builders\\\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/old-web.terracloud.fr\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#website\",\"url\":\"https:\\\/\\\/old-web.terracloud.fr\\\/\",\"name\":\"TerraCloud\",\"description\":\"Les deux pieds sur terre, la t\u00eate dans le Cloud\",\"publisher\":{\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/old-web.terracloud.fr\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#organization\",\"name\":\"TerraCloud\",\"url\":\"https:\\\/\\\/old-web.terracloud.fr\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/old-web.terracloud.fr\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo-orange.png\",\"contentUrl\":\"https:\\\/\\\/old-web.terracloud.fr\\\/wp-content\\\/uploads\\\/2023\\\/08\\\/Logo-orange.png\",\"width\":600,\"height\":76,\"caption\":\"TerraCloud\"},\"image\":{\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/old-web.terracloud.fr\\\/#\\\/schema\\\/person\\\/c84d6bb6d61012fe7510ecd7c4a0407b\",\"name\":\"terracloud\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/097721015575d61db7c915fea44fcf2f41f4a94b0cdc56e181770f1f623acab8?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/097721015575d61db7c915fea44fcf2f41f4a94b0cdc56e181770f1f623acab8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/097721015575d61db7c915fea44fcf2f41f4a94b0cdc56e181770f1f623acab8?s=96&d=mm&r=g\",\"caption\":\"terracloud\"},\"sameAs\":[\"http:\\\/\\\/old-web.terracloud.fr\"],\"url\":\"https:\\\/\\\/old-web.terracloud.fr\\\/en\\\/blog\\\/author\\\/terracloud\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire) - TerraCloud","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl","og_locale":"en_US","og_type":"article","og_title":"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire) - TerraCloud","og_description":"S3 est un service de stockage incroyable, capable de stocker durablement des donn\u00e9es \u00e0 l'\u00e9chelle. Dans cet article de blog, je vais vous montrer une mani\u00e8re peu connue par laquelle vos objets pourraient devenir publics par erreur .","og_url":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl","og_site_name":"TerraCloud","article_published_time":"2024-05-02T14:34:23+00:00","article_modified_time":"2024-09-02T14:49:18+00:00","author":"terracloud","twitter_card":"summary_large_image","twitter_misc":{"Written by":"terracloud","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#article","isPartOf":{"@id":"https:\/\/old-web.terracloud.fr\/blog\/2024\/05\/02\/les-objets-de-votre-bucket-s3-sont-peut-etre-publics-meme-si-la-console-aws-vous-dit-le-contraire\/"},"author":{"name":"terracloud","@id":"https:\/\/old-web.terracloud.fr\/#\/schema\/person\/c84d6bb6d61012fe7510ecd7c4a0407b"},"headline":"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire)","datePublished":"2024-05-02T14:34:23+00:00","dateModified":"2024-09-02T14:49:18+00:00","mainEntityOfPage":{"@id":"https:\/\/old-web.terracloud.fr\/blog\/2024\/05\/02\/les-objets-de-votre-bucket-s3-sont-peut-etre-publics-meme-si-la-console-aws-vous-dit-le-contraire\/"},"wordCount":1241,"publisher":{"@id":"https:\/\/old-web.terracloud.fr\/#organization"},"image":{"@id":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#primaryimage"},"thumbnailUrl":"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif","keywords":["aws","s3","s\u00e9curit\u00e9"],"articleSection":["Blog"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/old-web.terracloud.fr\/blog\/2024\/05\/02\/les-objets-de-votre-bucket-s3-sont-peut-etre-publics-meme-si-la-console-aws-vous-dit-le-contraire\/","url":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl","name":"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire) - TerraCloud","isPartOf":{"@id":"https:\/\/old-web.terracloud.fr\/#website"},"primaryImageOfPage":{"@id":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#primaryimage"},"image":{"@id":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#primaryimage"},"thumbnailUrl":"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif","datePublished":"2024-05-02T14:34:23+00:00","dateModified":"2024-09-02T14:49:18+00:00","breadcrumb":{"@id":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#primaryimage","url":"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif","contentUrl":"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2024\/09\/https-dev-to-uploads.s3.amazonaws.com-uploads-articles-2atzrs9kam06a0cso3bt.avif","width":1000,"height":420},{"@type":"BreadcrumbList","@id":"https:\/\/dev.to\/aws-builders\/your-s3-objects-could-be-public-even-though-the-aws-console-doesnt-say-so-4dcl#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/old-web.terracloud.fr\/"},{"@type":"ListItem","position":2,"name":"Les objets de votre bucket S3 sont peut-\u00eatre publics (m\u00eame si la console AWS vous dit le contraire)"}]},{"@type":"WebSite","@id":"https:\/\/old-web.terracloud.fr\/#website","url":"https:\/\/old-web.terracloud.fr\/","name":"TerraCloud","description":"Feet on the ground, head in the Cloud","publisher":{"@id":"https:\/\/old-web.terracloud.fr\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/old-web.terracloud.fr\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/old-web.terracloud.fr\/#organization","name":"TerraCloud","url":"https:\/\/old-web.terracloud.fr\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/old-web.terracloud.fr\/#\/schema\/logo\/image\/","url":"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2023\/08\/Logo-orange.png","contentUrl":"https:\/\/old-web.terracloud.fr\/wp-content\/uploads\/2023\/08\/Logo-orange.png","width":600,"height":76,"caption":"TerraCloud"},"image":{"@id":"https:\/\/old-web.terracloud.fr\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/old-web.terracloud.fr\/#\/schema\/person\/c84d6bb6d61012fe7510ecd7c4a0407b","name":"terracloud","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/097721015575d61db7c915fea44fcf2f41f4a94b0cdc56e181770f1f623acab8?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/097721015575d61db7c915fea44fcf2f41f4a94b0cdc56e181770f1f623acab8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/097721015575d61db7c915fea44fcf2f41f4a94b0cdc56e181770f1f623acab8?s=96&d=mm&r=g","caption":"terracloud"},"sameAs":["http:\/\/old-web.terracloud.fr"],"url":"https:\/\/old-web.terracloud.fr\/en\/blog\/author\/terracloud\/"}]}},"_links":{"self":[{"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/posts\/1022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/comments?post=1022"}],"version-history":[{"count":8,"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/posts\/1022\/revisions"}],"predecessor-version":[{"id":1033,"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/posts\/1022\/revisions\/1033"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/media\/1026"}],"wp:attachment":[{"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/media?parent=1022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/categories?post=1022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/old-web.terracloud.fr\/en\/wp-json\/wp\/v2\/tags?post=1022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}