Best way to enable protected access to AWS S3 bucket with lambda authorizer or Cognito

Question

The design is simple, I save Json to S3 (no public access), and the client sends request to lambda, lambda grabs it, and send it back.

I am wondering if I can remove this lambda layer, let the client access the S3 bucket directly, with authorize the request with cognito user pool or lambda authorizer,

for example, client sends request request to access bucket A with a Authorization header, triggers lambda authorizer, if pass, access, if fail, 401 error.

is it possible? or what's most closet way to do this? Search a lot without any luck.

Answer 1

The easiest way would be to use S3 pre-signed URLs. You can use presigned URLs to generate a URL that can be used to access your S3 buckets. When you create a presigned URL, you associate it with a specific action. You can share the URL, and anyone with access to it can perform the action embedded in the URL as if they were the original signing user. The URL will expire and no longer work when it reaches its expiration time.

Then you can create a Lambda function, which generates presigned URLs for your users to let then access your S3 data. The same lambda can be used to perform authentication, e.g., by using Cognito.

Best, Stefan