We have a lambda function with an execution role which has s3 access. Maximum session duration we kept with default option of 1 hour for the role.
When creating a s3 pre signed URL using this lambda function its observed that its valid for limited time only (less than 7 days). Sample code used from https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getSignedUrl-property
Error observed is expired token issue.
We want it to be valid for 7 days. Is it possible to create s3 presigned URL from lambda function with nodejs?
A pre-signed URL is simply a 'normal' URL, with the addition of an Access Key and a Signature.
Amazon S3 will attempt to retrieve the object using the permissions associated with the provided Access Key. It verifies that the Signature matches both the request and the Secret Key associated with the Access Key.
This means that a pre-signed URL only has the same permissions as the underlying Access Key. If the Access Key only has a validity period of 1 hour, then the pre-signed URL will only work for 1 hour (since it is effectively using that Access Key).
To create a long-lived pre-signed URL, you will need to use equally long-lived credentials to generate the pre-signed URL.
By the way, it should be quite rare to need a pre-signed URL that is valid for a long period. A pre-signed URL should be generated as close as possible to when it will actually be used. For example, imagine a Dropbox-like service where a user is shown a list of files and they can click the filename to view the file. This page can be generated with pre-signed URLs as the links, each with a validity of perhaps 5-10 minutes. If the user refreshes the page, then new pre-signed URLs will be generated. There should be very little need to have pre-signed URLs valid for 7 days.
Related
Is there a way to restrict the permissions of my Users so that, they should not be able to create/generate a presigned URL for the S3 objects that they have access to. ?? My users should not be able to generate a pre-signed URL even if they have access to the S3 objects.
Either restricting their ability of generating presigned URL or atleast detecting an action in real-time when its created is also fine with me.
It looks like there is no cloudtrail API call for generating presigned URL or also there is no cloudtrail API call whenever the generated presigned URL is used for accessing the S3 object.
So, I am stuck at this point and we as a platform team need to stop our App users from being able to generate presigned URLs and give them out to unauthorized users.
I want to provide a presigned s3 url for authenticated users to download files. I have a JWT based authentication on my backend and the URL can be generated on my backend based on the token. So if a user is authenticated on a device, they can click on a button and it opens a new tab pointing at the presigned url. My question is, how to prevent the user to copy the url on to an unauthenticated device and access the file from there? I referred to AWS S3 authenticated user access using presigned URLs? this, but it doesn't solve my problem.
Generally no, that is not possible, a pre-signed URL is valid from any browser and any device. You cannot prevent a user from copying and sharing the link.
The only thing you could do is reduce the duration for which the presigned url is valid, if you open the link in a new tab and set the duration of the presigned url only be e.g. 5 seconds you massively reduce the chance or the effect of the user being able to share the link in time.
I have a use case of allowing users to access remote file present in s3. Currently I am sending the pre-signed url in an email and allowing access. But I have a use case that is not met with this solution.
That being, in case the email containing the pre-signed url is forwarded to someone unintended, the forward recipient should not be able to access the file. Is there a way of authenticating an s3 presigned url by means of id/password. I am also open to a different solution using other AWS services as well to meet the use case.
Pre-signed URLs aren't particularly good for emails.
The intention with a pre-signed URL is that a user would authenticate to an application, then request access to some private content. The application would verify that they are permitted access, then provide a pre-signed URL to grant time-limited access to the content. Such access would normally be for up to 5-10 minutes.
As demonstrated by your scenario, there is an issue if somebody forwards a pre-signed URL to somebody else. This is normally not a problem because access time is limited. However, if a pre-signed URL is generated that has access for hours or days, it becomes more of a security issue.
Solution: Provide a link to your application. Users should authenticate, then be provided with a short-duration (eg 5-minute) pre-signed URL. This lowers the chance that other people can use the link.
By default you can't limit who can use the pre-sign url. The entire purpose of pre-signed S3 urls is to enable access to your object to anyone who has them for a limited time:
Anyone who receives the presigned URL can then access the object.
If this does not suit you, you have few choices:
don't use pre-signed urls, but instead create an IAM user which just the permissions to download the object. This will require login to the AWS by your recipients.
use password protected 7zip or rar files that contain your objects. So instead of downloading objects directly, you provide pre-signed urls to password-protected archives.
use encryption and share encrypted files. You clients will need to decrypt them.
and many others
But ultimately they will be as save as your users' passwords, encryption keys or other types of protection you will implement.
Well I have a service which generate PDF files every day and I need to share a download link to this pdf files through email to send to our clients.
I am thinking to save these files to a s3 bucket, but we need to make sure these download links will works all the time, I went through Amazon S3 Pre-Signed URLs but asfaik presigned urls only valid for a maximum of 7 days but the links should be valid all the time, is there any other way to give access to s3 objects for longer term?
It's not possible to generate Amazon S3 pre-signed URLs with a validity of more than one week.
For longer term, you need to use CloudFront Signed URLs for which you can set an expiry date far in the future.
See Serving Private Content with Signed URLs and Signed Cookies and Using Signed URLs in the CloudFront documentation and Using CloudFront Signed URLs to Serve Private S3 Content on Medium.
You can create a custom download link that hits your backend service (use a jwt, or something else with expiry of your choice).
After validating the JWT on your server, generate a new S3 Pre-signed link(short expiry) and proceed with download.
How to get an pre-signed signature or link that have infinite expire in AWS. Or it is possible to create a permanent signature, using accesskey and secure key?
Except for AWS Access Keys, all other credentials, pre-signed URLs, etc. are temporary credentials.
All pre-signed URLs expire. The minimum expiration value is 1 second and the maximum is seven days (604,800 seconds).
Authenticating Requests: Using Query Parameters (AWS Signature Version 4)