AWS S3 Bucket Website Endpoints have been superseded by better architectural patterns bringing greater control and data protection
AWS S3 Website Endpoints are a venerable feature that existed prior to the widespread adoption and enforcement of TLS (Transport Layer Security) encryption for all HTTP endpoints on the internet. When originally introduced, insecure transport was more common due to the burden and cost in correctly configuring SSL connections. Today, TLS certificates are available for free and can be easily automated, making the overall benefit of secure communication far outweigh the setup costs in most scenarios.
S3 Website Endpoints do not support TLS certificates, which means that any data transferred is unencrypted. As a result, all communication between your S3 service and its users is exposed, making both requests and responses publicly readable by any machine with access to the transferred traffic. Unencrypted network communications not only compromises your data but also reveals user activity to every machine in vicinity of the transmitted traffic.
Additionally, S3 Website Endpoints lack nuanced access controls, meaning you lose fine grained control over your content and data access and are forced to make all data in the bucket publicly accessible. When activated, as AWS S3 Bucket Website Endpoint results in the entire S3 bucket being exposed to the internet.
In contrast, alternative solutions offer enhanced functionality and control whilst still providing the same functional features as S3 Website Endpoints, alongside additional functionalities that fit more use cases the AWS S3 Website Endpoints.
For typical professional use cases where AWS S3 Website Endpoints have been implemented, the first easy transition is to using an AWS CloudFront Distribution with a configured Origin Identity to securely deliver your S3 content. This setup involves configuring a distribution, creating an origin identity and updating the policies on your S3 bucket to grant that Origin Identity access to your content. Additionally, you may need to update your DNS records to point to the AWS CloudFront distribution instead of the AWS S3 Website Endpoint.
If any applications are unable to communicate securely with CloudFront using TLS and can only function with the insecure AWS S3 Website Endpoint, those applications should be treated as legacy software and should be considered for urgent decommissioning and replacement.
SkySiege Cloud Security Assessments scan for this issue and provide same-day reports.
Available for individual projects or organisations.
