AWS Developer Blog

Generating Amazon S3 Pre-signed URLs with SSE (Part 1)

By default, all objects and buckets are private in Amazon S3. Pre-Signed URLs are a popular way to let your users or customers upload or download specific objects to/from your bucket, but without requiring them to have AWS security credentials or permissions.

In part 1 of this blog, we will take a look at all the different types of pre-signed URLs that can be generated to work with Amazon S3 server-side encryption (SSE). In part 2 of this blog, I will provide concrete sample code that shows how you can generate and consume pre-signed URLs for one of AWS’s most recommended security best practices – server-side encryption with AWS Key Management Service (SSE-KMS). To find out more about the considerable benefits of using AWS Key Management Service provide, see the official blog New AWS Key Management Service (KMS).

To begin with, the generation and use of pre-signed URLs requires a request to be signed for authentication purposes. Amazon S3 supports the latest Signature Version 4 (SigV4), which requires the request body to be signed for added security, and the previous Signature Version 2 (SigV2). However, even though pre-signed URLs using different options of SSE is 100 percent supported using SigV4, this is not the case with SigV2.

Here is a summary of all the valid combinations for generating pre-signed URLs using server-side encryption.

Pre-signed URL generation SigV2 SigV4
Using SSE with AWS KMS-managed keys (SSE-KMS) No Yes
Using SSE with Amazon S3-managed keys (SSE-S3) Yes Yes
Using SSE with customer-provided encryption keys (SSE-C) Yes Yes
Using SSE with specific customer-provided encryption keys (SSE-C) No Yes

What is the difference between generating a pre-signed URL using SSE-C versus SSE-C with specific customer-provided encryption keys? In the first case, when you generate the pre-signed URL, the customer-provided encryption key does not need to be specified. Instead, the key only needs to be specified in the request later when the generated pre-signed URL is used (to actually upload or download objects to/from Amazon S3).

On the other hand, you may want to impose further restrictions on a pre-signed URL by requiring that the pre-signed URL can be used only against a specific customer-provided encryption key. In such cases, you can do so by specifying the customer-provided encryption key during the generation of the pre-signed URLs, and enabling the use of SigV4. I will provide specific examples to cover these two cases in Part 4 and 5 of the upcoming blogs.

In the next blog (Part 2), I will provide specific code examples that show how you can generate and consume pre-signed URLs using server side encryption with Amazon KMS-managed keys (SSE-KMS). 

Stay tuned!