AWS Hands-On | S3 Security | S3 Pre-signed URLs
📌 Notice
This is a hands-on tutorial accompanying the blog post:
“Pass the AWS Certified Solutions Architect Associate Certification SAA-C03-(Episode 12: S3 Security)”
🔹 Focus: Practical implementation of Amazon S3.
🔹 For theoretical concepts and exam-style questions, please refer to the main blog post (link to parent blog).
Here’s a step-by-step guide to demonstrating S3 Pre-Signed URLs, based on the provided content:
Objective: Understand what an S3 Pre-Signed URL is, how it grants temporary access to private S3 objects, and how to generate one using the AWS S3 console.
Prerequisites:
✔ An AWS account with access to Amazon S3.
✔ An S3 bucket that is not publicly accessible (i.e., its “Block all public access” settings should be enabled, or its bucket policy should not grant public read access).
✔ An object (e.g., coffee.jpg) uploaded to this private S3 bucket.
Step 1: Verify Your Object is Private (Access Denied)
- Navigate to your S3 Bucket: Go to the Amazon S3 console and select your private S3 bucket.
- Locate Your Object: Find the object you want to demonstrate (
coffee.jpgin this example). - Attempt Direct Access via Object URL:
- Click on the object name (e.g.,
coffee.jpg). - On the object details page, locate the “Object URL” (or “Object overview” section).
- Copy this URL.
- Paste the URL into a new browser tab or window where you are not logged into the AWS console (e.g., an Incognito/Private window).
- Observation: You should receive an “Access Denied” error page. This confirms your object is currently private and not publicly accessible.
Step 2: Understand the Console’s “Open” Functionality (Internal Pre-Signed URL)
- Go back to the S3 Console: Return to the object details page for your
coffee.jpgwithin the S3 console. - Click “Open”: Near the “Object URL”, you will see an “Open” button. Click it.
Observation: The image will successfully open in a new tab.
- Inspect the URL: Look at the URL in the address bar of this new tab. You’ll notice it’s much longer than the simple “Object URL” from Step 1. It contains parameters like
X-Amz-Security-Token,X-Amz-Signature,X-Amz-SignedHeaders, andX-Amz-Expires.
https://pre-signed-url-v2.s3.us-east-1.amazonaws.com/coffee.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAQXUIXL7APEMRBZMH%2F20250602%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20250602T013505Z&X-Amz-Expires=300&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEBoaCXVzLWVhc3QtMSJHMEUCIEcioLmGveroOFmVSqQ0ojgFK5iokWUAfJjwXQdV5L09AiEAiqc0hIko3ur7V2Zp%2BzpXfk53aEaATrrJyM1ItNnHDzwq9gII4%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAAGgwwNTA3NTI2MTAyNDAiDP85IxFkvDcLwkUB6yrKAvFyzCFfZOr7Qyn6oDXB6NBHbvmBEtkH%2FVNIyhR%2B%2FzwP%2Fw88AmneN9k8NTvocR5uc7RTiusU9d7NuLh9Rtdtp7GT78MbIORY%2BpDzJn8iyS6NgyONjyhj5ycIMeYNa%2Fa0HXsMA%2B8qCvRSktDzmWd%2F3kkxr6fwT%2FBMEpRKI7zZdHGu1uEpmVAUG98kt5Ajow7wXaDkCGxiMZgrdhzUqkQ67JRIKRYEtH49TucgPTsFnhP5i9qAbY3Kg4Itg%2FHdcTpw1w7vU4llPsr9osTYZ78Fg6CW4OHqydXZfrFBX9DHq2qHXBCb%2F5bg80WAXWvQbsCJgHkyUTwapuz%2BHqfagzoZ%2BNcCbpDvAq2wODlZ8JxtU802gS1xexMDJsr7pysmnqdksN5mkBvEuvtw%2BYu9ghxu1YNUhzr%2F5z%2BAeReRxnZ8LLMfmCBUd1DeWdQPjTCW%2FfPBBjqtAvtVvxw%2FCW1Aaiw9TU1nJ2QtGMMzej1fD0GunlwjABW0zVB5zkEShU7VJWOtyhKHrbPLTextnqr2tB%2F9nU58%2FfiRlr3TW7m8VxFjMVNs%2B7cmLk7pT76jR6zw5nr4SOmoDmgWLtVPLGj2ZFgd9CU8ysa03qw3p%2FECqrxrALr5Imm6PsVmv57bTNZleKQ4GETUUsjUQErNmJcrda5TJNZ6bKjWqPYvb5LNqbAI4R11AlqqoH6X43RWj29xlBUeVnr4YmRzXsXv%2B1qrlwoS3ehfZMQBTuxInvKNrBPu0jmOZw8eDyarGK%2FIVkcJQbL2EQf6JwNgGgQ5wv78OPfpEcIkWjHrFt7ro6xc0CVtjfWPw1Ii7Mq8ihqqrNFeJFk%2Br6uhwPXOP%2FfoZVMa6%2FbTuOE%3D&X-Amz-Signature=56a74538032c0c1d91e6eb4136a941f0e51db722dc0bc4d6417da7e64ac3d98e&X-Amz-SignedHeaders=host&response-content-disposition=inlineExplanation: When you click “Open” from the console, AWS dynamically generates a short-lived, pre-signed URL using your current AWS console credentials. This URL allows your browser to temporarily access the private object. This is a crucial concept to understand pre-signed URLs.
Step 3: Generate a Pre-Signed URL for Sharing
- Select the Object: In your S3 bucket’s “Objects” list, select the checkbox next to
coffee.jpg. - Click “Object actions”: Click the “Object actions” dropdown menu.
- Select “Share with a pre-signed URL”: From the dropdown, choose “Share with a pre-signed URL”.
- Set Expiration Time:
- In the “Share an object with a pre-signed URL” dialog, locate the “Expiration time” setting.
- Set it to a short duration for demonstration purposes, e.g., “5 minutes”.
5. Click “Create pre-signed URL”: Click the button to generate the URL.
Observation: A new pre-signed URL will be displayed in the dialog box.
Step 4: Test the Generated Pre-Signed URL
- Copy the Pre-Signed URL: Click the “Copy” button next to the generated URL.
- Paste and Access:
- Open a new Incognito/Private browser window (or a browser where you are not logged into AWS).
- Paste the copied pre-signed URL into the address bar and press Enter.
- Observation: The
coffee.jpgimage should successfully load. This confirms that anyone with this URL (even if they don't have AWS credentials) can access the object for the specified duration.
3. Wait for Expiration (Optional): If you wait longer than the 5-minute expiration time you set, and then try to access the URL again, you will receive an “Access Denied” error.
Conclusion:
You have successfully demonstrated S3 Pre-Signed URLs. You’ve learned that:
- Pre-signed URLs provide temporary, time-limited access to private S3 objects.
- They are generated using valid AWS credentials and contain a signature that allows direct access without additional authentication.
- The S3 console can generate these URLs, and you can specify their expiration time.
- Anyone with a valid pre-signed URL can access the object, even if the bucket and object are otherwise private.
- They are very useful for sharing private files securely for a limited duration.
