Skip to content

Security: shvc/s3cli

Security

SECURITY.md

Security Policy

Supported Versions

Versions are currently being supported with security updates.

Version Supported
2.x.x
1.x.x

TLS/SSL Configuration

By default, s3cli validates TLS certificates. To skip TLS verification (not recommended for production), use the --insecure or -k flag:

s3cli -e https://s3.example.com -k ls

WARNING: Disabling TLS verification makes connections vulnerable to man-in-the-middle attacks. Only use this flag in trusted development environments or with explicit understanding of the security implications.

Authentication

AWS Signature Versions

s3cli supports both AWS Signature Version 4 (default) and Version 2:

  • Version 4 (default): Uses SHA-256 for HMAC, recommended for all new applications
  • Version 2 (--v2sign): Uses SHA-1 for HMAC as required by the protocol specification

Note: AWS Signature V2 requires SHA-1 as part of the protocol specification. For security reasons, prefer Signature V4 which uses SHA-256.

Credentials

Credentials can be provided via:

  1. Command-line flags: --ak (access key) and --sk (secret key)
  2. Environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
  3. AWS credentials file with --profile

Important: Never commit credentials to version control. Use environment variables or secure credential management systems.

Security Considerations

Endpoint Security

  • HTTP vs HTTPS: If no protocol is specified, s3cli defaults to HTTP. Always specify https:// for secure connections.
  • Custom endpoints: When using self-signed certificates, use --insecure flag sparingly and understand the risks.

Presigned URLs

Presigned URLs generated by s3cli (--presign flag) provide temporary access to S3 resources:

  • Default expiration: 24 hours
  • Customize with --presign-exp flag

Treat presigned URLs as sensitive credentials - anyone with the URL can access the resource until expiration.

Object Lock and Versioning

For compliance and data protection, consider enabling:

  • Object Lock: WORM (Write Once Read Many) retention
  • Versioning: Protect against accidental deletion

Dependency Security

This project uses:

  • github.com/aws/aws-sdk-go - Official AWS SDK for Go
  • github.com/spf13/cobra - CLI framework
  • github.com/johannesboyne/gofakes3 - S3 mock server (testing only)

Keep dependencies updated by running:

go get -u ./...
go mod tidy

Reporting a Vulnerability

Create an issue https://github.com/shvc/s3cli/issues

There aren’t any published security advisories