Use pre-signed URLs for secure temporary S3 access without exposing AWS credentials. Understand all S3 access control mechanisms.
S3 Pre-signed URLs — Secure Temporary Access
A pre-signed URL grants temporary access to a PRIVATE S3 object without requiring AWS credentials. The URL contains the access parameters and expires after a set time — perfect for secure file downloads and uploads in web applications.
Teacher Note: Imagine a museum (S3 bucket) with private exhibits (private objects). Normally nobody can enter without an employee badge (AWS credentials). A pre-signed URL is like a temporary guest pass that lets a visitor (user) enter for exactly 1 hour — then the pass expires and is useless.
Pre-signed URL Use Cases
| Scenario | How Pre-signed URLs Help |
|---|
| Profile photo download | Server generates a 1-hour pre-signed URL. User's browser downloads photo directly from S3 without credentials |
| Direct file upload | Server generates a pre-signed PUT URL. User uploads file directly to S3 without going through your server — reduces server load |
| Invoice download | Pre-signed URL valid for 24 hours — user can only download their own invoice |
| Partner data sharing | Share specific private files with partners for a limited time without making bucket public |
Generating Pre-signed URLs
import boto3
from datetime import timedelta
s3 = boto3.client('s3')
# Generate download URL (valid 1 hour)
url = s3.generate_presigned_url(
ClientMethod='get_object',
Params={'Bucket': 'my-bucket', 'Key': 'private-file.pdf'},
ExpiresIn=3600 # seconds
)
print(url) # Share this URL with the user
# Anyone with this URL can download the file for 1 hour
# After 1 hour: 403 Forbidden
# Generate upload URL (direct upload from browser)
url = s3.generate_presigned_url(
ClientMethod='put_object',
Params={
'Bucket': 'upload-bucket',
'Key': f'uploads/{user_id}/profile.jpg',
'ContentType': 'image/jpeg'
},
ExpiresIn=300 # 5 minutes to complete upload
)
S3 Access Control Summary
| Method | Use Case | Complexity |
|---|
| Block Public Access | Keep bucket private (default) | Zero — enable and forget |
| Bucket Policy | Grant specific accounts/services access | Medium — JSON policy |
| Pre-signed URL | Temporary access for specific objects | Low — generate with SDK |
| S3 Access Points | Named endpoints per application/team | Medium — one policy per access point |
| VPC Endpoint Policy | Only allow S3 access from within VPC | Medium — endpoint + bucket policy |
Exam Tip: Pre-signed URLs inherit the permissions of the IAM user or role that GENERATED them. If the role loses access to S3 after the URL is generated, the pre-signed URL still works until it expires. Keep URL expiry times short (minutes for uploads, hours for downloads) to limit exposure.