← Back to context

Comment by jcims

8 years ago

I wouldn't call it poor advice. It isn't a control, more security by obscurity, but it doesn't exactly hurt anything either. I saw a situation recently where a bucket was accidentally opened to the world, but the name was a UUID and in the entire history of the bucket no request was logged other than from the intended clients.

6 comments

jcims

Reply
IanCal  8 years ago

> but it doesn't exactly hurt anything either.

It hurts me if I'm trying to remember the bucket I'm after.

Is fc20d856-2a7e-41ab-b072-9bb9a68c6bda production or 193565ac-9121-4071-8aeb-62f3111c4c97 or is that the dev setup or the staging data for the other service or...

To me the big question here is why these names have to be global. Why can't I have a UUID externally but a name and an account internally? Honest question, I assume there may be a significant issue as smarter people than me decided not to do it that way.

  • TheDong  8 years ago

    I've heard many aws employees lament the global namespace of s3 bucket names. They think it's a mistake too.

    Though if they weren't global, they'd probably be "name.accountid.s3...." which isn't really obscure either since aws account ids are semi-public.

alpha_squared  8 years ago

> in the entire history of the bucket no request was logged other than from the intended clients

This sounds sort of like dumb luck. It just means no one was looking for it, that doesn't mean it's secure. This all reminds of me of the xkcd about making passwords that are easy for computers to guess and hard for people to remember[0].

Your security on buckets should be the bucket policy/permissions themselves, not the arbitrary naming of them. Security by obscurity is rarely secure and more about the illusion of security.

[0] https://xkcd.com/936/

  • jcims  8 years ago

    I couldn't agree more with your second point, but risk is usually considered the product of likelihood and impact. If I name my bucket 'bestbuy' vs '4fc6-43b0-bc19-75fe07e06133', the likelihood that some random is going to find my bucket increases dramatically.

    • onion2k  8 years ago

      The chance of it being found by someone guessing the name would increase dramatically. The chance of it being found by someone running a script that searches for buckets using DNS logs, code searches, etc would be the same.

      Hackers don't often try to guess things. They run scripts. That's why it doesn't matter what you call the bucket.