Signed URLs – Sharing S3 Files (But Only When I Want To)

After setting up my static site and locking it down with bucket policies, I started wondering —
How do people share private files securely from S3?

That’s when I stumbled on pre-signed URLs.

---

What Are Signed URLs?

They're like one-time tickets that expire.

You generate a special URL for a private S3 object, and whoever has it can access the file — but only:

• For a limited time

• With exactly the permissions you allow

It's perfect for:

• Sending temporary download links

• Giving access to private images, videos, PDFs, etc.

---

How I Generated My First Signed URL

I made sure the file was in a private bucket (no public access). Then I used the AWS CLI:

aws s3 presign s3://my-private-bucket/my-file.pdf --expires-in 600

Output:
A long URL that looks like this:
https://s3.amazonaws.com/my-private-bucket/my-file.pdf?...signature...

When I opened it in the browser — it worked!
Then 10 minutes later — Access Denied. Just as expected.

Tried It with Python Too (Just for Fun)

import boto3

s3 = boto3.client('s3')
url = s3.generate_presigned_url(
    'get_object',
    Params={'Bucket': 'my-private-bucket', 'Key': 'my-file.pdf'},
    ExpiresIn=300
)
print(url)

Even slicker. This opens up a lot of use cases for future projects where I want to serve secure, expiring links.

---

Why This is Cool

• No need to make the whole bucket public

• Great for time-limited downloads or paid content

• Feels like actual security in action, not just theory

---

Lessons From Today

• Even private buckets can serve content — if you control the access

• Signed URLs are another way AWS balances security and flexibility

• I’m starting to see how AWS services piece together like LEGO blocks

---

🔜 Next?

I’m curious about:

• S3 Lifecycle Rules – auto-cleanup, archiving, etc.

• Maybe connecting my static site to Route 53

• Or going hands-on with CloudFront and caching

One thing at a time.

Day 16 — signed, sealed, delivered.