How to solve the risks in sharing an Amazon S3 pre-signed URL?

Question

I am developing a Spring-boot REST API application. The following are the use cases

• All REST API endpoints are secured using HTTPS.
• All responses in this application are cached for 30 minutes based on the request.
• One of my REST API response contains AWS S3 pre-signed url.
• This REST API will be consumed by Mobile App

Issues

• How to protect the AWS S3 pre-signed url from hackers who can snoop the request and response in mobile app.
• Since I enforced the cache in my spring-boot application, I am not able to expire the pre-signed url before this cache timeout. The cached response containing the pre-signed url will be used until the cache times out. We are planning to make the cache timeout (say 5 minutes) smaller than the pre-signed url timeout (say 7 minutes)

Questions

• How to protect AWS S3 pre-signed URL from hackers
• How to handle this cache logic intelligently, because I don't want to re-generate this pre-signed URL often. Especially after evicting cache on list.
• Is there any solution available to maintain this pre-signed url out of this spring-boot application. That is expecting something like other micro-service can handle this pre-signed url and will be used by mobile app directly.

Any response is kindly appreciated

Answer 1

Amazon recommends using their Server-Side Encryption with AWS KMS–Managed Keys (SSE-KMS). Here is a link to a Amazon blog series on how to accomplish using their aws-sdk for Java. This is a link to part 2 of 3 in the series.