In Amazon S3, all objects and buckets are private by default. Pre-signed URLs serve as an efficient method for enabling users or customers to upload or download specific objects from your bucket without needing AWS security credentials or permissions. In this first part of the blog, we will explore the various types of pre-signed URLs that can be generated to work with Amazon S3’s server-side encryption (SSE). In the following part, I will share concrete examples of code that demonstrate how to generate and utilize pre-signed URLs in accordance with one of AWS’s most recommended security practices: server-side encryption with AWS Key Management Service (SSE-KMS). For additional insights into the significant advantages offered by AWS Key Management Service, check out this blog post.
The process of generating and utilizing pre-signed URLs requires a signed request for authentication. Amazon S3 supports the most recent Signature Version 4 (SigV4), which mandates that the request body be signed for enhanced security, in addition to the older Signature Version 2 (SigV2). While pre-signed URLs using various SSE options are fully supported with SigV4, this is not the case with SigV2.
Summary of Valid Combinations for Generating Pre-signed URLs with Server-side Encryption
| Pre-signed URL Generation | SigV2 | SigV4 |
|---|---|---|
| SSE with AWS KMS-managed keys (SSE-KMS) | No | Yes |
| SSE with Amazon S3-managed keys (SSE-S3) | Yes | Yes |
| SSE with customer-provided encryption keys (SSE-C) | Yes | Yes |
| SSE with specific customer-provided encryption keys (SSE-C) | No | Yes |
What differentiates generating a pre-signed URL using SSE-C from SSE-C with specific customer-provided encryption keys? In the former scenario, the customer-provided encryption key is not required at the time of pre-signed URL generation; it is only needed later when the URL is actually used to upload or download objects from Amazon S3. Conversely, if you want to enforce stricter conditions on a pre-signed URL, limiting its use to a specific customer-provided encryption key, you can do so by specifying that key during the pre-signed URL generation and enabling SigV4. I will include detailed examples illustrating these two cases in Parts 4 and 5 of upcoming blogs.
In the next entry (Part 2), I will provide specific code snippets demonstrating how to generate and consume pre-signed URLs utilizing server-side encryption with Amazon KMS-managed keys (SSE-KMS). Stay tuned! For further information on this topic, visit this authoritative source. If you’re looking for additional resources, check this excellent guide.
Leave a Reply