How to Safely Share Files Using AWS S3 Pre-Signed URLs

Jay TilluJay Tillu
4 min read

One fine morning, Arjun was sipping his coffee when his project manager messaged:

“Hey Arjun, a client needs to download a report stored in our private S3 bucket. Can you make it happen?”

Arjun thought, “Hmm… I can’t make the file public — that would be a security risk.”

That’s when he remembered something from his AWS studies:
🎯 S3 Pre-Signed URLs


🔎 What is a Pre-Signed URL?

A Pre-Signed URL is a special URL that temporarily grants access to a private object in your S3 bucket — either to download (GET) or upload (PUT) a file.

  • ✅ It inherits the permissions of the IAM identity that generated the URL.

  • ✅ It expires after a set time — so it’s secure and time-bound.

  • ✅ It requires no credentials for the end user.


🛠️ How Can You Generate It?

Arjun learned that he could generate these URLs using:

ToolMax Expiry Time
AWS ConsoleUp to 12 hours
AWS CLI / SDKUp to 7 days (168 hours)

He fired up the CLI and ran:

aws s3 presign s3://secure-bucket/reports/monthly.pdf --expires-in 3600

✅ That gave him a URL that worked for 1 hour.


📦 Real-World Use Cases Arjun Found

Here are some of Arjun’s favorite use cases:

  1. 🔐 Give external users temporary access to download a private file
    Send them a pre-signed URL valid for a few hours.

  2. 📤 Let someone upload a file securely to a specific S3 location
    Pre-sign a PUT request and restrict it to a path.

  3. 🎥 Stream a premium video only for logged-in users
    Dynamically generate a new URL after each login.

  4. 🛠️ CI/CD tools pushing build logs or test results
    Use pre-signed PUT URLs without exposing IAM credentials.


⚠️ Important Notes for SAA Exam & Real Life

Before using them in production, Arjun made sure to remember:

  • Pre-signed URLs are only valid for a specific operation (GET, PUT, etc.)

  • They’re secure only if you protect the URL — don’t share it publicly

  • Permissions are based on the IAM user or role that signs the URL

  • Good practice: Set a short expiration to reduce risk


✅ Arjun’s Takeaway

“Pre-signed URLs are like giving someone a key to a single door that works for a few minutes — super convenient and still secure.”

He sent the URL to the client, who downloaded the report instantly. No IAM roles, no bucket policy changes — just a simple, temporary URL.


📌 SAA Exam Tip

Expect at least one question involving S3 access control and pre-signed URLs. Remember:

  • URL is temporary

  • URL inherits signer’s permissions

  • Use for GET or PUT

  • Can be generated using CLI, SDK, or Console


More AWS SAA Articles

Follow me for more such content

0
Subscribe to my newsletter

Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Jay Tillu
Jay Tillu

Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!