AWS, Cloud Computing

3 Mins Read

Share Sensitive Files Using Pre-signed URL

Introduction

The pre-signed URL is provided by AWS to give temporary access to any object stored in the S3 (Simple Storage Service) bucket for a specific time duration or to upload the object to the S3 bucket without providing the credentials of the account. This URL is unique for each object. The default expiration time is 5 minutes and the maximum expiration time of the Presigned-url can be of 7 Days.

Objects stored in the S3 bucket are by default Private. It is good practice to keep the S3 bucket and objects private. If there is a need to allow temporary access to any object to the client, then using a pre-signed URL is a good choice.

To access the files of S3 Bucket from the AWS console there are two options:

  1. There is an Object URL by which the user can access the file, but the file should be open to the world (publicly accessible)
  2. There is an OPEN button showing when we select any object inside the S3 bucket, In the Backend, this Open button generates the pre-signed URL of the selected object and redirects the user to that URL. In this case, there is no need to make the file publicly accessible.

Benefits of Pre-signed URL

  1. We can pass only 10 MB of payload size to any API so we can use this presigned URL to upload large files (up to 5 GB) to S3 Bucket
  2. Secure way to share the private files stored in the S3 bucket as it is signed with an AWS access key.
  3. It provides restricted access as it allows only GET or PUT for a single URL.
  4. It is valid only for a specific time interval (till the expiration time).
  5. Each object has a different presigned URL.

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Types of Pre-signed URL

  1. Get – Get pre-signed URL is used to get temporary access to the files stored in S3 Bucket. To get the pre-signed URL of any object select the object, then click on the “ACTIONS” menu and choose “Share with a pre-signed URL”, then a pop-up comes up and asks for the expiration time of the Presigned-url, then click on “Create Presigned URL”.

type1

type1b

  1. Put – Put pre-signed URL is used to upload the files in S3 Bucket without having the security credential of the AWS account. To generate the pre-signed URL to upload an object there is a Boto3 API that can be used in Python code where we need to pass the Bucket name, Object name, and Expiration time.
  2. Post – The POST Presigned, like PUT allows you to add content to an S3 bucket. The POST Presigned URL takes a lot more parameters than the PUT Presigned URL and is slightly more complex to incorporate into your application. It allows you to upload to S3 directly using an HTML form.

Implementation

  1. To generate GET pre-signed URL

2. To generate a PUT pre-signed URL

A presigned URL contains the following data: –

S3 object URL + X-Amz-Security-Token +Amz-Algorithm + X-Amz-Date + X-Amz-SignedHeaders + X-Amz-Expires + X-Amz-Credential + X-Amz-Signature

Data Flow Diagram

DFD

The first user hits the API with the payload (Bucket Name, Object Key, and Method) then the API forward the request to the lambda function then the function performs the operation which is written in code and return the presigned URL to the user. If there is a GET URL then the user can hit that to access the object or if the PUT URL then the user can pass the binary data to upload the files.

Conclusion

To give temporary access to any files stored in the S3 Bucket or to give temporary access to upload in any Bucket, using the presigned URL is a more secure way. For sharing sensitive files which are stored in S3 Bucket, always we should use a presigned URL.

A presigned URL gives you access to the object identified in the URL only if the creator of the presigned URL has permission to access that object. That is, if you receive a presigned URL to upload an object, you can upload the object only if the creator of the presigned URL has the necessary permissions to upload that object.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Pre-signed URL and I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.

FAQs

1. Do we require AWS account credentials to access the presigned URL?

ANS: – No, anyone can access the presigned URL without any credentials.

2. Can IAM user create S3 presigned URL?

ANS: – If the IAM user has access of S3 objects, then user can generate the presigned URL.

WRITTEN BY Rohit Lovanshi

Rohit Lovanshi works as a Research Associate (Infra, Migration, and Security Team) at CloudThat. He is AWS Developer Associate certified. He has a positive attitude and works effectively in a team. He loves learning about new technology and trying out different approaches to problem-solving.

Share

Comments

    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!