Handling Pre-signed URLs with S3

Crishantha Nanayakkara
3 min readMar 1, 2023

--

Things you need to remember

In theory, if you want a user to have access to a specific bucket or object without making them public, you can follow one of the methods to do so.

  1. Providing the user with the appropriate permissions using an IAM policy
  2. Creating a pre-signed URL

In this blog, we will concentrate on the S3 pre-signed URLs and its usage.

  • By definition, pre-signed URLs can be used to provide temporary access to a specific object to those who do not have AWS credentials.
  • Expiration date and time duration must be configured while generating it.
  • Pre-signed URL can only be used to LIST and PUT operations. The rest of the operations are not supported.

Practicals — Creating a pre-signed S3 URL

Step 1: Create a S3 bucket and upload an object / file into it. No need to do change any default settings here.

Step 2: Open the CloudShell on your AWS console (I assume that you use AWS Admin user account here)

When you use CloudShell, you use the user identity credentials that you have currently logged in. For example, if you have logged in as an AWS Admin user, CloudShell will work as a user with Admin user privileges.

Step 3: Enter the following command on the CloudShell

$ aws s3 presign s3://<bucket-name>/<file-name>.jpg

P.Note: You may get the S3 object URI from the console after selecting the object you want to give access.

figure 01 — generating the pre-signed URL for the S3 object

Step 4: You may open a new browser tab and copy-paste the above long URL to see the object being shown on it.

figure 02 — accessing the S3 object via the pre-defined URL

Practicals — Revoking permissions of the pre-signed URL

As explained above, the user who created the pre-signed URL had the IAM Admin rights. Pre-signed URLs always checks the permissions of the user, which it was created.

Step 1: Limit the S3 privileges by adding an IAM in-line policy to the IAM Admin user. You may copy paste the following JSON to the in-line policy.

figure 02 — IAM In-line Policy

Step 2: Generate a pre-signed URL after limiting the s3 Full access in Step 2. You can see, even after revoking the S3 access to the user account, it allows you to generate the pre-signed URL. (See figure 04)

figure 04 — Generating the pre-defined URL after revoking the S3 Full Access privileges.

However, the generate URL will not give you the ability to view the S3 image (See figure 05). This is mainly because the S3 Full Access permissions have been restricted at the IAM policy level for this Admin user.

figure 05 — The restricted object

You may remove the IAM in-line policy, which was there to deny S3 full access and see whether you can generate the pre-signed URL again. Theoretically you should be able to.

Thank You!

--

--

Crishantha Nanayakkara

Enterprise Architect, Consultant @ FAO (UN), Former CTO, ICTA Sri Lanka