Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Sign up for free Log in
Atlassian Community Hero Image Collage

Security concern regarding offloading card attachments into S3

Sean Shuping
Sean Shuping Oct 30, 2020

Trello's statement regarding security of attachments on cards states:

File attachments to Trello cards are stored in Amazon’s S3 service. Each such attachment is assigned a unique link with an unguessable, cryptographically strong random component, and are only accessible using a secure HTTPS connection.

That said, if the direct URL of the attachment is known/shared one can view the object from a non public Board / Card without authentication.

We use Trello to track project status, and sometimes we add architecture docs to cards. Our assumption was that there's an authentication wall you need to get through to see the content of the cards, but now looking a little closer at this, the objects attached to the cards are being offloaded into S3 but the bucket policy allows one to get the object without authenticating.

Would a better way to achieve this be: Ensure that the Trello servers / infrastructure perform the GET of the object from S3 on your behalf? That way Trello ensures the retrieval from S3 is at least authenticated with the use of either an oauth key or at the very least an HTTP referer on the S3 bucket policy.

Answer
Watch
Like Be the first to like this
227 views

1 answer

0 votes
Garrett
Garrett Atlassian Team Nov 03, 2020

Hey Sean,

If you're looking to get those attachments behind some level of authentication, my recommendation would be to use a file service integrated with Trello, such as Dropbox.

Currently Trello does not require authentication for attachments that are stored on our S3 servers directly(although that is being explored). So the best workaround is to not store those files in Trello, which is where those other services come in.

When attaching a Dropbox file, for example, Trello is not storing any kind of data, but rather just a link to that file in Dropbox as an attachment on the card. If a user on your board selects that attachment, they still have to authenticate with Dropbox before they are able to see/edit the file.

Reply

Suggest an answer

Log in or Sign up to answer
Trello
Trello
TAGS
Community showcase
Monique vdB
Monique vdB
Posted in Trello

Taco Tuesday: Your favorite Trello blog takeaway

Hello friends! From the community that brought you Welcome Wednesday, Throwback Thursday and Friday Fun, welcome to Taco Tuesday, a weekly discussion about all things Trello. The best part? One Tac...

195 views 10 9
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you