Saturday, June 28, 2025

Amazon S3 Pre-Signed URLs | Overview & Hands-On.


Amazon S3 Pre-Signed URLs - Overview & Hands-On.

Scope:

  • Intro,
  • The concept:  Pre-Signed URL,
  • Use Cases,
  • How S3 Pre-Signed URLs Works,
  • How to Generates a Pre-Signed URL,

  • Security Considerations,

  • Permissions Needed,
  • Project: Hands-on.

Intro:

  • Amazon S3 – Pre-Signed URLs are a way twtech grants time-limited access to its Amazon s3 objects without making them publicly accessible after the expired time-limit.
  • They are especially useful when twtech wants to share private content securely.(for security and compliance)

 The concept:  Pre-Signed URL

A pre-signed URL is a URL that includes:

  •         The S3 object’s key (file path)
  •         twtech AWS credentials (signature, access key)
  •         An expiration time

NB:

  • This URL allows anyone who has it to download or upload (depending on the HTTP method) the object directly from/to S3, without needing their own AWS credentials.

 Use Cases

  •         Temporary download links for private files
  •         Secure upload links (e.g., for file uploads via a web or mobile app)
  •         Letting third parties temporarily access an object

 How S3 Pre-Signed URLs Works

     1.     twtech (the AWS account holder or IAM user) generatesa pre-signed URL using its credentials.
2.     The URL contains a cryptographic signature that proves the request was made by someone with access.
3.     twtech sends the URL to a client (e.g., web user, mobile app).
4.     The client uses it to access the S3 object within the time limit.

 How twtech Generates a Pre-Signed URL

Using AWS SDK (Sample in Python with boto3)

# python
 import boto3
from botocore.exceptions import NoCredentialsError 
s3_client = boto3.client('s3')
try:
    url = s3_client.generate_presigned_url(
        ClientMethod='get_object',
        Params={
            'Bucket': 'twtech-s3bucket',
            'Key': 'twtech-object-key.txt'
        },
        ExpiresIn=3600  # URL expires in 1 hour
    )
    print("Pre-Signed URL:", url)
except NoCredentialsError:
    print("AWS credentials not found.")
# For Upload:
# python
url = s3_client.generate_presigned_url(
    ClientMethod='put_object',
    Params={
        'Bucket': 'twtech-s3bucket',
        'Key': 'twtech-object-key.txt'
    },
    ExpiresIn=3600  # 1 hour (60sec x 60mins)
)
 Security Considerations:
  • Expiration time should be short if possible (seconds to minutes) for better security.
  • Never log or share the pre-signed URL where it might be reused maliciously.
  • Only grant permissions necessary (e.g., get_object vs put_object).
  • Do not use pre-signed URLs for permanent access.
 Permissions Needed
The IAM user or role generating the pre-signed
URL must have permission to perform the operation (e.g., s3:GetObject, s3:PutObject).
Example IAM policy snippet:
#  json
{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": "arn:aws:s3:::twtech-s3bucket/*"

Project: Hands-on 
  • How twtech creates and use pre-signed url for twtech-users to access specific objects 
  • from its bucket publicly with a specific time-limit.
  • twtech Selects the s3 bucket to configure and click open: twtech-s3bucket
  • twtech Selects and click-open an object to configure for pre-signed url:  Why-how-when-to-drink-water.pdf
NB,
  •  The object can’t be access publicly because public access is blocked in twtech access bucket: it is a private s3 bucket.
  • twtech Accesses the url gives the message: AccessDenied.
NB:
  • twtech uses pre-signed url to allow  public access
  • for  a specific object over a specified time like: 10 minutes.
  • twtech Navigates to object properties tab, then Object actions.
  • From Object acitons navigate to drop-down menu and select: Share with a presigned URL
  • twtech Specifies the time in minutes or hours: 10 minutes
  • twtech can at this point, Copy the url and share to twtech-user who needs access for
the s3 object for a specified length of time:10 minutes.
  •  twtech verifies on the browrser whether the object can be accessed using the pre-signed
url: 
From:
  • Yes: successfully, the S3 object is accessible by twtechuser in the public.
NB:
  1. twtechuser can only publicly access to the S3 object has been configure for 10mins time-limit.
To:
  • After 10 minutes the pre-signed url for the object should expire.
  • twtechuser won't be able to access the object any longer after 10mins set.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...