

Security tips for Amazon S3 users - themindhack
http://securitybits.net/security-tips-amazon-s3-users
Amazon S3 (Simple Storage Service) is a popular and great service to store and share large amounts of data. It’s reliable, scalable, cheap and secure. Unfortunately, Amazon lacks decent documentation and guides on how to use its service properly and how users should implement S3 security to protect their content. SecurityBits compiled a list of essential security tips for S3 users.
======
ryandvm
> If you host sensitive or private data on your S3 account, you wouldn’t want
> anyone to find it with a simple Google search query. To prevent search
> engines from indexing your bucket, place a file named robots.txt in the
> bucket.

Wow - this is a security blog? If you host sensitive data, don't make it
publicly readable _at all_. Documenting its existence in a world-readable
robots.txt is a recipe for disaster.

~~~
goglog
Not exactly true. I use S3 account to host my files only. I don't use it for
hosting or whatsoever. If I use robots.txt, I prevent it from appearing in
Google and since you don't know my bucket name or my S3 account name, you
can't read my robots.txt file.

~~~
rgrove
If you need a robots.txt, you're doing it wrong.

Set the ACLs on your buckets and files so that they're not readable or
listable by anyone but you. There's no reason to depend on obscurity to
protect your data when you can easily secure it using ACLs.

------
goglog
I wasn't aware of those options at all when I first read about S3. Definitely
worth reading for any S3 user.

