Amazon S3 defaults to having all objects and buckets set to private. Pre-signed URLs serve as an effective mechanism to enable users or customers to upload or download specific objects from your bucket without needing AWS security credentials or permissions.
In this first installment of our blog series, we will explore the various types of pre-signed URLs that can be generated for use with Amazon S3’s server-side encryption (SSE). In part 2, I will share practical code samples illustrating how to create and utilize pre-signed URLs in alignment with one of AWS’s key security best practices – server-side encryption utilizing AWS Key Management Service (SSE-KMS). For more insights into the significant advantages offered by AWS Key Management Service, check out this other blog post.
To start, generating and using pre-signed URLs necessitates signing a request for authentication. Amazon S3 supports the latest Signature Version 4 (SigV4), which requires the request body to be signed for enhanced security, as well as the earlier Signature Version 2 (SigV2). It’s important to note that while pre-signed URLs using various SSE options are fully supported with SigV4, this is not true for SigV2.
Summary of Pre-signed URL Generation with Server-side Encryption
| Pre-signed URL Generation | SigV2 | SigV4 |
|---|---|---|
| Using SSE with AWS KMS-managed keys (SSE-KMS) | No | Yes |
| Using SSE with Amazon S3-managed keys (SSE-S3) | Yes | Yes |
| Using SSE with customer-provided encryption keys (SSE-C) | Yes | Yes |
| Using SSE with specific customer-provided encryption keys (SSE-C) | No | Yes |
What’s the distinction between generating a pre-signed URL using SSE-C and SSE-C with specific customer-provided encryption keys? In the first scenario, the customer-provided encryption key is not required during the URL’s generation. Instead, it must be supplied in the request when the generated pre-signed URL is employed for uploading or downloading objects from Amazon S3.
Conversely, if you wish to impose additional restrictions on a pre-signed URL by requiring its use only with a specific customer-provided encryption key, you can achieve this by specifying the customer-provided encryption key during the generation of the pre-signed URLs and opting for SigV4. I will provide detailed examples illustrating these two scenarios in Parts 4 and 5 of the upcoming blogs.
In the next entry (Part 2), I will present specific code examples demonstrating how to create and use pre-signed URLs with Amazon KMS-managed keys (SSE-KMS). Stay tuned!
For additional authoritative insights on this topic, you can visit this link for further reading.
Leave a Reply