Ref: https://learn.cantrill.io/courses/1820301/lectures/41301489
DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301490
Limitations of Anonymized S3 Access to Private Resources
- Refresher: access to objects S3 bucket can be done via:
- IAM users (Principal is an AWS identity with long-term credentials, must authenticate and be authorized)
- IAM roles (Principal assumes a role and uses temporary credentials, must authenticate and be authorized)
- Making the S3 bucket public (Anonymous Principals can access data, no need for authentication nor authorization)
Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0700-SIMPLE_STORAGE_SERVICE(S3)/00_LEARNINGAIDS/S3PresignedURL-1.png
- But what if we want to share private/sensitive data without requiring the Principal to authenticate to AWS?
- IAM identities (users/roles) not suitable because Principal must authenticate… Requires identity management, also not always best user experience…
- S3 bucket being public is not desired… content is private/sensitive, we only want to share it with specific users, not the whole internet…
- Solution: presigned URLs
S3 Presigned URL - Architecture
Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0700-SIMPLE_STORAGE_SERVICE(S3)/00_LEARNINGAIDS/S3PresignedURL-2.png
- 🔧 Provide temporary access to S3 object using YOUR credentials in a safe & secure way
- An IAM identity can execute
generatePreSignedURL operation:
- IAM identity supplies credentials, expiry date & time, object key, and how object will be accessed (GET/download operation, or PUT/upload operation)
- S3 returns a presigned URL, which can be shared with desired entities
- ‼️ Entity who uses the presigned URL to interact with S3 is effectively accessing S3 on behalf of the IAM identity that generated the presigned URL!
- All auth info of IAM identity is encoded inside the presigned URL
- Entity “logs in” behind the scenes to AWS as the IAM identity
- Credentials are encoded, can't be extracted
- ❗ Any operations on S3 via presigned URLs are traced as if done by the IAM identity who generated the presigned URL!
- For security, presigned URLs expire after a set time, to make sure no other entities will get that access
Common Use Cases of S3 Presigned URLs
- Offload private media into S3
- Example: freemium webapp (without authentication) for ad-hoc filtering of photos. Clients upload private photos to webapp, backend processes photos and generates new photos, responds to clients with presigned URLs that expire a few minutes later.
- App server is an IAM user that can generate presigned URLs on a per-client basis
- Serverless architectures
- No wish to run expensive app servers that broker access to private S3 buckets
/00_LEARNINGAIDS/S3PresignedURL-1.png){kind=link}
/00_LEARNINGAIDS/S3PresignedURL-2.png){kind=link}