Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Security concern regarding offloading card attachments into S3

Trello's statement regarding security of attachments on cards states:

File attachments to Trello cards are stored in Amazon’s S3 service. Each such attachment is assigned a unique link with an unguessable, cryptographically strong random component, and are only accessible using a secure HTTPS connection.

That said, if the direct URL of the attachment is known/shared one can view the object from a non public Board / Card without authentication.

We use Trello to track project status, and sometimes we add architecture docs to cards. Our assumption was that there's an authentication wall you need to get through to see the content of the cards, but now looking a little closer at this, the objects attached to the cards are being offloaded into S3 but the bucket policy allows one to get the object without authenticating.

Would a better way to achieve this be: Ensure that the Trello servers / infrastructure perform the GET of the object from S3 on your behalf? That way Trello ensures the retrieval from S3 is at least authenticated with the use of either an oauth key or at the very least an HTTP referer on the S3 bucket policy.

1 answer

0 votes
Garrett Atlassian Team Nov 03, 2020

Hey Sean,

If you're looking to get those attachments behind some level of authentication, my recommendation would be to use a file service integrated with Trello, such as Dropbox.

Currently Trello does not require authentication for attachments that are stored on our S3 servers directly(although that is being explored). So the best workaround is to not store those files in Trello, which is where those other services come in.

When attaching a Dropbox file, for example, Trello is not storing any kind of data, but rather just a link to that file in Dropbox as an attachment on the card. If a user on your board selects that attachment, they still have to authenticate with Dropbox before they are able to see/edit the file.

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Posted in Trello

Taco Tuesday: Your favorite Trello blog takeaway

Hello friends! From the community that brought you Welcome Wednesday, Throwback Thursday and Friday Fun, welcome to Taco Tuesday, a weekly discussion about all things Trello. The best part? One Tac...

195 views 10 9
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you