Reputation: 1
How to generate read-only PresignedUrl in AWS S3 Bucket
var getPreSignedUrlRequest = new GetPreSignedUrlRequest()
{
BucketName = this._appSettings.AWS_S3_IMAGE_SIGNATURE_BUCKET,
Key = fileKey,
Expires = DateTime.UtcNow.AddHours(24),
Verb = HttpVerb.GET,
// ContentType = "application/octet-stream",
ServerSideEncryptionMethod = ServerSideEncryptionMethod.AES256,
};
So I wanna create a presignedUrl to read an image in S3 bucket with read-only permission, but if i make a request like above code (even with the verb GET), I can still use this presignedUrl to Upload a new image to replace the old one. Is there any way to prevent user to overwrite an object with PresignedUrl (for read-only purpose)?
Upvotes: 0
Views: 1550
Answers (1)
Reputation: 1069
I had the same question and a lot of people couldn't explain it properly so I'll try to do that.
By creating an s3 presigned URL, you're attaching a token with the permissions of the user who created that URL. So if the user has write access, you're basically allowing public write to that object until the URL expires.
More on it here.
A possible solution is to use CloudFront's signed URLs and point them to your S3 objects.
Upvotes: 2
Related Questions
- AWS S3 - Generate presigned URL using REST API
- How to generate an AWS S3 Pre-Signed URL
- s3 presign url between s3 buckets using Lambda
- How to generate an S3 pre-signed URL for a custom domain without exposing bucket name
- Generate an AWS S3 PreSigned URL using my own domain/subdomain
- Generating a presigned URL to upload to an S3 bucket
- Allow unknown key value pairs in S3 pre signed URL
- AWS S3 authenticated user access using presigned URLs?
- Amazon S3 pre-signed URLs
- Generate Presigned URL with format: s3.amazonaws.com/bucket.name