Share Sensitive Files Using Pre-signed URL

Introduction

The pre-signed URL is provided by AWS to give temporary access to any object stored in the S3 (Simple Storage Service) bucket for a specific time duration or to upload the object to the S3 bucket without providing the credentials of the account. This URL is unique for each object. The default expiration time is 5 minutes and the maximum expiration time of the Presigned-url can be of 7 Days.

Objects stored in the S3 bucket are by default Private. It is good practice to keep the S3 bucket and objects private. If there is a need to allow temporary access to any object to the client, then using a pre-signed URL is a good choice.

To access the files of S3 Bucket from the AWS console there are two options:

1. There is an Object URL by which the user can access the file, but the file should be open to the world (publicly accessible)
2. There is an OPEN button showing when we select any object inside the S3 bucket, In the Backend, this Open button generates the pre-signed URL of the selected object and redirects the user to that URL. In this case, there is no need to make the file publicly accessible.

Benefits of Pre-signed URL

1. We can pass only 10 MB of payload size to any API so we can use this presigned URL to upload large files (up to 5 GB) to S3 Bucket
2. Secure way to share the private files stored in the S3 bucket as it is signed with an AWS access key.
3. It provides restricted access as it allows only GET or PUT for a single URL.
4. It is valid only for a specific time interval (till the expiration time).
5. Each object has a different presigned URL.

Types of Pre-signed URL

1. Get – Get pre-signed URL is used to get temporary access to the files stored in S3 Bucket. To get the pre-signed URL of any object select the object, then click on the “ACTIONS” menu and choose “Share with a pre-signed URL”, then a pop-up comes up and asks for the expiration time of the Presigned-url, then click on “Create Presigned URL”.

2. Put – Put pre-signed URL is used to upload the files in S3 Bucket without having the security credential of the AWS account. To generate the pre-signed URL to upload an object there is a Boto3 API that can be used in Python code where we need to pass the Bucket name, Object name, and Expiration time.
3. Post – The POST Presigned, like PUT allows you to add content to an S3 bucket. The POST Presigned URL takes a lot more parameters than the PUT Presigned URL and is slightly more complex to incorporate into your application. It allows you to upload to S3 directly using an HTML form.

Implementation

1. To generate GET pre-signed URL

2. To generate a PUT pre-signed URL

A presigned URL contains the following data: –

S3 object URL + X-Amz-Security-Token +Amz-Algorithm + X-Amz-Date + X-Amz-SignedHeaders + X-Amz-Expires + X-Amz-Credential + X-Amz-Signature

Data Flow Diagram

The first user hits the API with the payload (Bucket Name, Object Key, and Method) then the API forward the request to the lambda function then the function performs the operation which is written in code and return the presigned URL to the user. If there is a GET URL then the user can hit that to access the object or if the PUT URL then the user can pass the binary data to upload the files.

Conclusion

To give temporary access to any files stored in the S3 Bucket or to give temporary access to upload in any Bucket, using the presigned URL is a more secure way. For sharing sensitive files which are stored in S3 Bucket, always we should use a presigned URL.

A presigned URL gives you access to the object identified in the URL only if the creator of the presigned URL has permission to access that object. That is, if you receive a presigned URL to upload an object, you can upload the object only if the creator of the presigned URL has the necessary permissions to upload that object.

About CloudThat