-
Please do not ever post your keys in a public forum. I strongly advise that you rotate and delete that key immediately, and since you are the moderator, delete the post with your account ID.
I tried out this extension yesterday. I found some very concerning issues:
1) It appears that it requires S3 admin access to the entire account
2) It uses accesskey and secretkey stored on the web server. Are they encrypted? How are they protected?
3) UI asks for account number. You do not need it. This is also a dangerous practice. (it is not a required field, but this is not clear. Call it something else and let users know not to put their actual account number here)
4) There is no provision for using EC2 roles instead of keys
5) With a modest number of buckets, the sync process kills my (t2.micro) instance EVERY TIME.
What I recommend changing:
- Drop the functionality for creating, deleting buckets. You don’t need it and I’m not comfortable enough with Joomla security to open S3 access to the degree required by the current extension.
- At the very least, make it so that the user can specify an IAM credential with access to a specific bucket/key. You don’t need bucket access. You need access to a key within a bucket. Great ideas, but descope, increase security.
- Enable use of EC2 roles for those of us running on AWS
- Store the access keys encrypted when you have to use them at all.
- Revisit the sync process so it doesn’t kill small servers
-
This reply was modified 6 years, 3 months ago by
mobri2a.
This topic contains 7 replies, has 4 voices, and was last updated by 
We moved to new unified forum. Please post all new support queries in our New Forum