Saturday, June 28, 2025

Amazon S3 | Pre-Signed URLs.

Amazon S3 – Pre-Signed URLs are a way to grant time-limited access to objects in Amazon S3 without making them publicly accessible.

They are especially useful when twtech wants to share private content securely.(for security and compliance)

 The concept:  Pre-Signed URL

A pre-signed URL is a URL that includes:

·        The S3 object’s key (file path)

·        twtech AWS credentials (signature, access key)

·        An expiration time

This URL allows anyone who has it to download or upload (depending on the HTTP method) the object directly from/to S3, without needing their own AWS credentials.

 Use Cases

·        Temporary download links for private files

·        Secure upload links (e.g., for file uploads via a web or mobile app)

·        Letting third parties temporarily access an object

 How S3 Pre-Signed URLs Works

1.     twtech (the AWS account holder or IAM user) generate a pre-signed URL using its credentials.

2.     The URL contains a cryptographic signature that proves the request was made by someone with access.

3.     twtech sends the URL to a client (e.g., web user, mobile app).

4.     The client uses it to access the S3 object within the time limit.

 How twtech Generates a Pre-Signed URL

Using AWS SDK (example in Python with boto3)

# python
 import boto3
from botocore.exceptions import NoCredentialsError 
s3_client = boto3.client('s3')
try:
    url = s3_client.generate_presigned_url(
        ClientMethod='get_object',
        Params={
            'Bucket': 'twtech-s3bucket',
            'Key': 'twtech-object-key.txt'
        },
        ExpiresIn=3600  # URL expires in 1 hour
    )
    print("Pre-Signed URL:", url)
except NoCredentialsError:
    print("AWS credentials not found.")
For Upload:
# python
url = s3_client.generate_presigned_url(
    ClientMethod='put_object',
    Params={
        'Bucket': 'twtech-s3bucket',
        'Key': 'twtech-object-key.txt'
    },
    ExpiresIn=3600  # 1 hour
)
 Security Considerations:
  • Expiration time should be short if possible (seconds to minutes) for better security.
  • Never log or share the pre-signed URL where it might be reused maliciously.
  • Only grant permissions necessary (e.g., get_object vs put_object).
  • Do not use pre-signed URLs for permanent access.
 Permissions Needed
The IAM user or role generating the pre-signed
URL must have permission to perform the operation (e.g., s3:GetObject, s3:PutObject).
Example IAM policy snippet:
#  json
{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": "arn:aws:s3:::twtech-s3bucket/*"

Project: Hands-on (GUI)
How twtech creates and use pre-signed url for users to access specific objects 
from its bucket publicly for a specific time
Select the s3 bucket to configure and click open: twtech-s3bucket
Select and click-open an object to configure for pre-signed url: 
Why-how-when-to-drink-water.pdf
NB,
 The
object can’t be access publicly because public access is blocked: it is  a private s3 bucket.
Accessing the url gives the message: AccessDenied.
How twtech uses pre-signed url to allow  public access
for  a specific object over a specified time like: 10 minutes.
Navigate to object properties tab, then Object actions.
From Object acitons on drop down menu, select: Share with a presigned URL
Specify the time in minutes or hours: 10 minutes
twtech can now Copy the url and share to anyone who needs access for
the specified length of time(10 minutes).
How twtech verifies whether the object can be accessed using the pre-signed
url: on the browrser.
From:
To:
After 10 minutes the pre-signed url for the object should expire,
 and the object can no longer be access publicly again.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Kubernetes Clusters | Upstream Vs Downstream.

  The terms "upstream" and "downstream" in the context of Kubernetes clusters often refer to the direction of code fl...