Reputation: 421
Pre-Signed URL for S3 Bucket URL: Options Available
I am able to generate presigned URL for an S3 object using php. But it has X-Amz-Credential parameter which contains AWS Access Key ID as value; Is it Ok? Can we generate pre-signed url without this parameter; Also it displays the entire S3 File URL, is it not? If we do not want S3 Url to be displayed, is CloudFront Distribution mandatory? Is there no other way for pre-signed URL?
Upvotes: 0
Views: 104
Answers (1)
Reputation: 16
We serve specific assets from S3 via Cloudfront Distribution Pre-signed URL's only - direct access to S3 is forbidden via bucket policy.
It works like this:
- The backend creates the Pre-singed URL and sends it as a response to to the frontend
- The frontend requests the asset
- The asset is served via the Cloudfront Distribution
This is the data that the client can see in the request/response
Request:
:authority assets.yourdistribution.com (not your S3 bucket name)
:path /images/whatever.jpg?Expires=123&Key-Pair=Something&Signature=123mmmsd...
.. other uninteresting fields
Response:
Server: AmazonS3
x-amz-cf-id: SomeIdString
Via: your.distribution.com (not bucket name)
.. other uninteresting fields
There is no full S3 path data, neither credential params.
If this is what you need, you can read this guide on how to generate CloudFront Pre-Signed URL's.
Also another thing - obscurity is not security
Upvotes: 0
Related Questions
- What is difference between Pre-Signed Url and Signed Url?
- Reference - What does this error mean in PHP?
- how to have short user defined aws s3 pre-signed url
- Pre-signed url for multiple files?
- Configure AWS cloudfront for serving signed url from s3 bucket
- PHP Upload file to an Amazon S3 bucket via pre-signed url
- AWS CloudFront pre-signed URL for S3 Bucket without OAI not working
- AWS S3 HTTPS API request(URL) signed with temporary security credentials to access object