Pre-Signed URLs with S3 Buckets.

3 min readAug 17


Amazon S3 buckets are private by default when they are created, this is to conform to the principle of least privilege, this means that in order to provide access to our bucket and its objects, we must give explicit permissions to the bucket and its objects.

There are two most common scenarios for how people use S3 buckets in regard to privacy. The first group of people basically upload private data within these buckets and they like to keep it that way. The second group is the people who like to share the objects they have uploaded publicly with everyone.

There is a third group of people who sit right in between. This group would like to keep their bucket private and inaccessible to the public but still be able to share an individual object with a specified entity for a limited period of time. This is the group that Pre-signed URLs cater to.

So what exactly are pre-signed URLs? A pre-signed URL uses security credentials to grant time-limited permission to download objects. The URL can be entered in a browser or used by a program to download the object. The credentials used by the pre-signed URL are those of the AWS user who generated the URL.

Now that we know what a pre-signed URL is, let us create one.

1. Check on

2. Click on Actions

3. Click on Share with a pre-signed URL

4. Select Hours

5. Select Minutes

6. Type “5”

7. Click on Create pre-signed URL

8. Click on Copy pre-signed URL

9. Copy the text area

10. Paste the link onto a new browser

One thing to note is that in the Management Console, the longest a pre-signed URL can last is 12 hours, however, using the AWS CLI, we can generate a pre-signed URL that lasts up to a maximum of 7 days.

To generate a pre-signed URL on the AWS CLI, use the code below:

aws s3 presign s3://DOC-EXAMPLE-BUCKET1/mydoc.txt --expires-in 604800

Replace s3://DOC-EXAMPLE-BUCKET1/mydoc.txt with your Bucket link




Software & AWS Cloud Engineer