How secure is a static site hosted on Amazon S3?

Question

I'm thinking about separating the static content from the dynamic content, and put the main www domain with the static content on Amazon S3. The main reason I want to do this is security. This site has a potential to be a target for hackers to break into. I don't have much knowledge in security, and I probably can't handle protecting it do a decent degree.

So is putting the main domain on Amazon S3 really solved all of my security concerns? Are static sites/files hosted on S3 known to be an easy or hard target for hackers? Are there any precautions I need to do by myself? (I already decided to have a separate account for s3 than my ec2 instances, to minimize the risk of hackers getting my security credentials. does that make sense?)

Answer 1

There is no way for us to determine whether this would be secure. Security is a massively deep topic that requires extensive analysis and an ability to think like an attacker. The best way to get this knowledge is the Web Application Hacker's Handbook. It is an interesting and fun read, but more importantly you'll be full of security knowledge when you're done.

Statistically, chances are very good that a static HTML page on Amazon S3 is secure. The reason is that the majority of vulnerabilities arise from improper handling of user input. This shouldn't be an issue for you.

To improve your security, look through the source of your page for any leaked information. Make sure you're not giving away sensitive information in comments. I've seen this one before:

<!-- Use the DB administrator password for testing: f@keP@a$$w0rD -->

Also don't think that giving your content a static but unlinked URL is providing security. Security through obscurity is not really security.