AWS S3 signed URLs handbook


This book is no longer available for sale.

AWS S3 signed URLs handbook

How to handle files in a serverless environment

About the Book

Don't get fooled by the apparent simpleness of signed URLs. Whomever you want to protect your files from knows how they work under the hood. An implementation that "seems to work" is insecure and gives a false sense of security.

This book teaches you everything you need to know about S3 signed URLs. You'll learn what signed URLs are, why they are needed for serverless applications, how to implement them securely, and how they work with other AWS services. All this, with a special eye for security.

It contains the background knowledge so that you'll know the cases where signed URLs are the solution. It comes with almost a dozen deploy-to-try examples to allow easy experimentation with the different aspects.

When I initially started experimenting with signed URLs I quickly realized how easy it is to end up with a solution that is unreliable and insecure. I spent several months to figure out what is missing from the documentations so that you don't need to.

You'll learn:

  • How S3 signed URLs work and why they are essential for a serverless stack
  • How to solve common problems and how to secure the implementation
  • How to use them with other services, such as CloudFront and KMS

This book is written in a handbook style. It dives deep into a single technology and provides help when you need it. It features analyses how each choice or piece of technology affects the security of signed URLs.

Originally published in May 2020.

About the Author

Tamás Sallai
Tamás Sallai

Given a task that requires writing software, an expert provides better and more reliable solutions. I write articles and books to help you be that expert.

I'm a software developer focusing mostly on cloud computing and web technologies. I'm especially interested in how to handle edge cases to end up with dependable software. One of my main focus is security and how each part affects the whole system.

I co-author the blog where I've published more than a hundred technical articles.

Table of Contents

  • Introduction
  • Chapter 1: Overview
    • Use cases
    • From servers to serverless
      • 3-tier architecture
      • Serverless architecture
        • Why streaming is not an option
    • Signed URLs for S3
      • Credentials
      • URL structure
      • Expiration time
    • Security of S3 signed URLs
      • Algorithm
        • Signature versions 2 and 4
      • Bandwidth control
      • Implementation disclosure
      • Revocation
  • Chapter 2: Implementation
    • Sample code
      • Functionality
      • Sample code architecture
    • Infrastructure
      • Bucket
      • Object
      • Function
      • Execution role
    • Backend with Node.js
      • S3 service
      • Sign URLs
        • Expiration time
        • Synchronous or asynchronous
          • Which one to use?
        • Bucket region
    • Frontend
  • Chapter 3: Specific use-cases
    • Least privilege with dedicated roles
      • Architecture
      • Backend
        • Credentials
        • S3 service object
    • CORS
    • Using HTTP redirects
      • Redirect status code
      • CORS with HTTP redirects
    • How to check if a file exists before signing
    • How to set the filename
    • Integrate with CloudFront
      • Why use CloudFront
      • How to setup CloudFront
        • Rewriting the signed URL
        • Origin config
        • Cache behavior
        • Paths
      • CloudFront signed URLs
    • Caching
      • Validity
      • NodeJs implementation
      • Browser caching
      • Proxy caching
        • Pricing
        • Problems with proxy caching
          • Problem #1: No expiration checking
          • Problem #2: No signature checking
    • Uploading files
      • Permissions
      • CORS config for uploads
      • Backend
      • Frontend
      • Update the database on file upload
        • Implementation
          • Step #1: Signing the URL
          • Step #2: Frontend
          • Step #3: Update the database
          • Step #4: Infrastructure
      • PUT signed URLs
      • Security checklist for uploading files
    • Handling encrypted data
      • SSE-S3 and SSE-KMS with AWS Managed CMK
        • Uploads
      • SSE-KMS with Customer Managed CMK
        • Downloads
        • Uploads
      • SSE-C
        • Downloads
        • Uploads
    • Permanent URLs
      • Problems with permanent signed URLs
      • Filename-based solution
      • Token-based solution
        • Infrastructure
        • Create a token
        • Use a token
  • Troubleshooting
    • AccessDenied
      • There were headers present in the request which were not signed
      • SignatureDoesNotMatch
      • Request has expired
    • NoSuchKey
    • ExpiredToken
    • PermanentRedirect
    • InvalidRequest
  • Security checklist
  • Conclusion
  • About the author

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

80% Royalties. Earn $16 on a $20 book.

We pay 80% royalties. That's not a typo: you earn $16 on a $20 sale. If we sell 5000 non-refunded copies of your book or course for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $12 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub