Reputation:
How to make sure a S3 presigned GetObject URL can only be accessed from an authorized device?
I want to provide a presigned s3 url for authenticated users to download files. I have a JWT based authentication on my backend and the URL can be generated on my backend based on the token. So if a user is authenticated on a device, they can click on a button and it opens a new tab pointing at the presigned url. My question is, how to prevent the user to copy the url on to an unauthenticated device and access the file from there? I referred to AWS S3 authenticated user access using presigned URLs? this, but it doesn't solve my problem.
Upvotes: 0
Views: 1755
Answers (1)
Reputation: 57114
Generally no, that is not possible, a pre-signed URL is valid from any browser and any device. You cannot prevent a user from copying and sharing the link.
The only thing you could do is reduce the duration for which the presigned url is valid, if you open the link in a new tab and set the duration of the presigned url only be e.g. 5 seconds you massively reduce the chance or the effect of the user being able to share the link in time.
Upvotes: 1
Related Questions
- is there a way to limit access to s3 presigned url
- How to generate read-only PresignedUrl in AWS S3 Bucket
- Restricting access to S3 objects unless url is signed
- Restrict S3 objects URL only to logged in users on a website
- Fetching AWS S3 Object using Presigned URL "SignatureDoesNotMatch"
- Protect s3 Object from Public
- Allow unknown key value pairs in S3 pre signed URL
- AWS S3 authenticated user access using presigned URLs?
- Generating pre-signed URLs for AWS S3 access from mobile app
- Amazon S3 Bucket - Files are completely public, but how can I restrict to allow only pre-signed requests?