AWS S3 signed URLs handbook
AWS S3 signed URLs handbook
How to handle files in a serverless environment
About the Book
Don't get fooled by the apparent simpleness of signed URLs. Whomever you want to protect your files from knows how they work under the hood. An implementation that "seems to work" is insecure and gives a false sense of security.
This book teaches you everything you need to know about S3 signed URLs. You'll learn what signed URLs are, why they are needed for serverless applications, how to implement them securely, and how they work with other AWS services. All this, with a special eye for security.
It contains the background knowledge so that you'll know the cases where signed URLs are the solution. It comes with almost a dozen deploy-to-try examples to allow easy experimentation with the different aspects.
When I initially started experimenting with signed URLs I quickly realized how easy it is to end up with a solution that is unreliable and insecure. I spent several months to figure out what is missing from the documentations so that you don't need to.
You'll learn:
- How S3 signed URLs work and why they are essential for a serverless stack
- How to solve common problems and how to secure the implementation
- How to use them with other services, such as CloudFront and KMS
This book is written in a handbook style. It dives deep into a single technology and provides help when you need it. It features analyses how each choice or piece of technology affects the security of signed URLs.
Originally published in May 2020.
Table of Contents
- Introduction
- Chapter 1: Overview
- Use cases
- From servers to serverless
- 3-tier architecture
- Serverless architecture
- Why streaming is not an option
- Signed URLs for S3
- Credentials
- URL structure
- Expiration time
- Security of S3 signed URLs
- Algorithm
- Signature versions 2 and 4
- Bandwidth control
- Implementation disclosure
- Revocation
- Algorithm
- Chapter 2: Implementation
- Sample code
- Functionality
- Sample code architecture
- Infrastructure
- Bucket
- Object
- Function
- Execution role
- Backend with Node.js
- S3 service
- Sign URLs
- Expiration time
- Synchronous or asynchronous
- Which one to use?
- Bucket region
- Frontend
- Sample code
- Chapter 3: Specific use-cases
- Least privilege with dedicated roles
- Architecture
- Backend
- Credentials
- S3 service object
- CORS
- Using HTTP redirects
- Redirect status code
- CORS with HTTP redirects
- How to check if a file exists before signing
- How to set the filename
- Integrate with CloudFront
- Why use CloudFront
- How to setup CloudFront
- Rewriting the signed URL
- Origin config
- Cache behavior
- Paths
- CloudFront signed URLs
- Caching
- Validity
- NodeJs implementation
- Browser caching
- Proxy caching
- Pricing
- Problems with proxy caching
- Problem #1: No expiration checking
- Problem #2: No signature checking
- Uploading files
- Permissions
- CORS config for uploads
- Backend
- Frontend
- Update the database on file upload
- Implementation
- Step #1: Signing the URL
- Step #2: Frontend
- Step #3: Update the database
- Step #4: Infrastructure
- Implementation
- PUT signed URLs
- Security checklist for uploading files
- Handling encrypted data
- SSE-S3 and SSE-KMS with AWS Managed CMK
- Uploads
- SSE-KMS with Customer Managed CMK
- Downloads
- Uploads
- SSE-C
- Downloads
- Uploads
- SSE-S3 and SSE-KMS with AWS Managed CMK
- Permanent URLs
- Problems with permanent signed URLs
- Filename-based solution
- Token-based solution
- Infrastructure
- Create a token
- Use a token
- Least privilege with dedicated roles
- Troubleshooting
- AccessDenied
- There were headers present in the request which were not signed
- SignatureDoesNotMatch
- Request has expired
- NoSuchKey
- ExpiredToken
- PermanentRedirect
- InvalidRequest
- AccessDenied
- Security checklist
- Conclusion
- About the author
The Leanpub 60 Day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.
You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!
So, there's no reason not to click the Add to Cart button, is there?
See full terms...
Earn $8 on a $10 Purchase, and $16 on a $20 Purchase
We pay 80% royalties on purchases of $7.99 or more, and 80% royalties minus a 50 cent flat fee on purchases between $0.99 and $7.98. You earn $8 on a $10 sale, and $16 on a $20 sale. So, if we sell 5000 non-refunded copies of your book for $20, you'll earn $80,000.
(Yes, some authors have already earned much more than that on Leanpub.)
In fact, authors have earnedover $14 millionwriting, publishing and selling on Leanpub.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them