By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

presignedurl security

0

Hi team

I'm using a lambda function to generate a presigned URL to allow partner application/VPC to upload files and get files from an S3 bucket in my AWS account.

The reason for that is to avoid sending the binary data over the private link to avoid bottleneck on the private link traffic,

but the security team is concerned about how secure the pre-signed URLs are.

I thought it would be better to use pre-signed URLs instead of sending many thousands.... of files over the privatelink?

I know that Anyone who obtains the URL before expiry can use it to access the data, can that be improved by bucket policy or still a security issue

Tank you!

Topics
StorageServerlessComputeAWS Well-Architected Framework
Tags
Amazon Simple Storage ServiceAWS LambdaSecuritypresigned URL
Language
English
JessDL
asked 9 months ago188 views
1 Answer
0

You could add a bucket policy that only allows access from specific VPC endpoints. See: Controlling access from VPC endpoints with bucket policies.

The traffic over a VPC Endpoint stays on the AWS network. However, even traffic routed out an Internet Gateway will stay on the AWS network if calling AWS services. See this FAQ:

Q. Does traffic go over the internet when two instances communicate using public IP 
addresses, or when instances communicate with a public AWS service endpoint?
 
No. When using public IP addresses, all communication between instances and services 
hosted in AWS use AWS's private network. Packets that originate from the AWS network 
with a destination on the AWS network stay on the AWS global network, except traffic 
to or from AWS China Regions.
 
In addition, all data flowing across the AWS global network that interconnects our  
data centers and Regions is automatically encrypted at the physical layer before it 
leaves our secured facilities. Additional encryption layers exist as well; for example, 
all VPC cross-region peering traffic, and customer or service-to-service 
Transport Layer Security (TLS) connections.
profile pictureAWS
EXPERT
kentrad
answered 9 months ago
  • JessDL
    8 months ago

    Thank you for your answer!

    I have a question please, I would like to know if the put/get from S3 using a pre-signed URL goes over the public internet or over the AWS backbone?

    how can the partner access my S3 bucket privately via the resigned URL (without going over public internet) Thank you!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content