Security concern regarding offloading card attachments into S3

Sean Shuping October 30, 2020

Trello's statement regarding security of attachments on cards states:

File attachments to Trello cards are stored in Amazon’s S3 service. Each such attachment is assigned a unique link with an unguessable, cryptographically strong random component, and are only accessible using a secure HTTPS connection.

That said, if the direct URL of the attachment is known/shared one can view the object from a non public Board / Card without authentication.

We use Trello to track project status, and sometimes we add architecture docs to cards. Our assumption was that there's an authentication wall you need to get through to see the content of the cards, but now looking a little closer at this, the objects attached to the cards are being offloaded into S3 but the bucket policy allows one to get the object without authenticating.

Would a better way to achieve this be: Ensure that the Trello servers / infrastructure perform the GET of the object from S3 on your behalf? That way Trello ensures the retrieval from S3 is at least authenticated with the use of either an oauth key or at the very least an HTTP referer on the S3 bucket policy.

1 answer

0 votes
Garrett
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 3, 2020

Hey Sean,

If you're looking to get those attachments behind some level of authentication, my recommendation would be to use a file service integrated with Trello, such as Dropbox.

Currently Trello does not require authentication for attachments that are stored on our S3 servers directly(although that is being explored). So the best workaround is to not store those files in Trello, which is where those other services come in.

When attaching a Dropbox file, for example, Trello is not storing any kind of data, but rather just a link to that file in Dropbox as an attachment on the card. If a user on your board selects that attachment, they still have to authenticate with Dropbox before they are able to see/edit the file.

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events