AWS, Cloud Computing

3 Mins Read

Share Sensitive Files Using Pre-signed URL

Voiced by Amazon Polly

Introduction

The pre-signed URL is provided by AWS to give temporary access to any object stored in the S3 (Simple Storage Service) bucket for a specific time duration or to upload the object to the S3 bucket without providing the credentials of the account. This URL is unique for each object. The default expiration time is 5 minutes and the maximum expiration time of the Presigned-url can be of 7 Days.

Objects stored in the S3 bucket are by default Private. It is good practice to keep the S3 bucket and objects private. If there is a need to allow temporary access to any object to the client, then using a pre-signed URL is a good choice.

To access the files of S3 Bucket from the AWS console there are two options:

  1. There is an Object URL by which the user can access the file, but the file should be open to the world (publicly accessible)
  2. There is an OPEN button showing when we select any object inside the S3 bucket, In the Backend, this Open button generates the pre-signed URL of the selected object and redirects the user to that URL. In this case, there is no need to make the file publicly accessible.

Freedom Month Sale — Upgrade Your Skills, Save Big!

  • Up to 80% OFF AWS Courses
  • Up to 30% OFF Microsoft Certs
Act Fast!

Benefits of Pre-signed URL

  1. We can pass only 10 MB of payload size to any API so we can use this presigned URL to upload large files (up to 5 GB) to S3 Bucket
  2. Secure way to share the private files stored in the S3 bucket as it is signed with an AWS access key.
  3. It provides restricted access as it allows only GET or PUT for a single URL.
  4. It is valid only for a specific time interval (till the expiration time).
  5. Each object has a different presigned URL.

Types of Pre-signed URL

  1. Get – Get pre-signed URL is used to get temporary access to the files stored in S3 Bucket. To get the pre-signed URL of any object select the object, then click on the “ACTIONS” menu and choose “Share with a pre-signed URL”, then a pop-up comes up and asks for the expiration time of the Presigned-url, then click on “Create Presigned URL”.

type1

type1b

  1. Put – Put pre-signed URL is used to upload the files in S3 Bucket without having the security credential of the AWS account. To generate the pre-signed URL to upload an object there is a Boto3 API that can be used in Python code where we need to pass the Bucket name, Object name, and Expiration time.
  2. Post – The POST Presigned, like PUT allows you to add content to an S3 bucket. The POST Presigned URL takes a lot more parameters than the PUT Presigned URL and is slightly more complex to incorporate into your application. It allows you to upload to S3 directly using an HTML form.

Implementation

  1. To generate GET pre-signed URL

2. To generate a PUT pre-signed URL

A presigned URL contains the following data: –

S3 object URL + X-Amz-Security-Token +Amz-Algorithm + X-Amz-Date + X-Amz-SignedHeaders + X-Amz-Expires + X-Amz-Credential + X-Amz-Signature

Data Flow Diagram

DFD

The first user hits the API with the payload (Bucket Name, Object Key, and Method) then the API forward the request to the lambda function then the function performs the operation which is written in code and return the presigned URL to the user. If there is a GET URL then the user can hit that to access the object or if the PUT URL then the user can pass the binary data to upload the files.

Conclusion

To give temporary access to any files stored in the S3 Bucket or to give temporary access to upload in any Bucket, using the presigned URL is a more secure way. For sharing sensitive files which are stored in S3 Bucket, always we should use a presigned URL.

A presigned URL gives you access to the object identified in the URL only if the creator of the presigned URL has permission to access that object. That is, if you receive a presigned URL to upload an object, you can upload the object only if the creator of the presigned URL has the necessary permissions to upload that object.

Freedom Month Sale — Discounts That Set You Free!

  • Up to 80% OFF AWS Courses
  • Up to 30% OFF Microsoft Certs
Act Fast!

About CloudThat

CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.

FAQs

1. Do we require AWS account credentials to access the presigned URL?

ANS: – No, anyone can access the presigned URL without any credentials.

2. Can IAM user create S3 presigned URL?

ANS: – If the IAM user has access of S3 objects, then user can generate the presigned URL.

WRITTEN BY Rohit Lovanshi

Rohit Lovanshi works as a Research Associate (Infra, Migration, and Security Team) at CloudThat. He is AWS Developer Associate certified. He has a positive attitude and works effectively in a team. He loves learning about new technology and trying out different approaches to problem-solving.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!