DMS S3 document access process is not secure?

naveen.gupta · August 24, 2023, 4:05pm

I have got Application Security Assessment Report from a client, and they said our S3 document Access process is not secure.

We are using AWS presigned url which is only add expiration time in a url(also exposed Aws Access Key).

Suppose I have login in an Application create a url valid for 5 mins. I have logout from application, But the url is still present in history and anyone who find the url can download before expiry time.

Here user logout but the document is still valid if not expired. I Hope we also got this kind of observation from other client.

So in DMS S3 access policy, we need the same concept like Service Scope. (User Session, Device Session, without session.) So that we can restrict who can access the document.

@DebugHorror @Vikas_Dhillon

Vikas_Dhillon · August 25, 2023, 5:29am

@naveen.gupta : In my opinion we should not keep the file validity for 5 minutes, we should keep it for max for 30-40 seconds.

Second, Yes agree there should be provision in DMS to integrate it with Vahana Session Management validity.

naveen.gupta · August 25, 2023, 3:33pm

@Vikas_Dhillon @DebugHorror
Instead of AWS pre-signed URL, I think we have to expose one URL just like /router/engine/v1/gateway, So that we have full control on document access/downloads/view.

DebugHorror · August 25, 2023, 4:31pm

I second that @naveen.gupta. Also, @Vikas_Dhillon there could be problem with downloading 30s authkey if the file is too large.