Amazon S3 pre-signed URLs are time-limited URLs that grant temporary access to specific S3 objects without requiring users to have AWS credentials or making the bucket public.
A pre-signed URL is a specially crafted URL that provides temporary, controlled access to an S3 object [citation:2]. It is generated using AWS credentials that have permission to access the object, and the URL itself contains a signature that validates the request [citation:2]. Anyone with the URL can access the object until it expires, regardless of whether they have AWS credentials [citation:2][citation:7].
Pre-signed URLs can be used for both downloads (GET) and uploads (PUT) [citation:1][citation:4]. For downloads, you generate a URL that allows temporary retrieval of a private object. For uploads, you generate a URL that allows users to upload files directly to S3 without passing data through your application servers [citation:4][citation:6]. This is particularly valuable for serverless applications where you want to offload file transfer workloads to S3 [citation:4].
You can generate pre-signed URLs through multiple methods. In the AWS Management Console, navigate to your S3 bucket, select the object, and under 'Object actions' choose 'Share with a pre-signed URL' [citation:3][citation:9]. Set an expiration time and click 'Create presigned URL' [citation:3][citation:9]. Programmatically, you can use the AWS SDKs. For example, in Python with boto3, use generate_presigned_url specifying the bucket name, object key, and expiration in seconds [citation:9]. In JavaScript/Node.js, use getSignedUrl from @aws-sdk/s3-request-presigner [citation:1][citation:7].
Common use cases include enabling secure file uploads in web applications where users send files directly to S3 [citation:6][citation:8], providing time-limited access to paid or private content [citation:2], and integrating with serverless workflows where Lambda functions generate upload URLs for clients [citation:4][citation:10]. The key benefit is maintaining security while eliminating the need to route file data through your application servers [citation:6].
Several security best practices apply when using pre-signed URLs. Set expiration times as short as practically possible—seconds or minutes rather than days—to minimize the window of misuse [citation:4][citation:7]. Consider implementing one-time use URLs by tracking tokens in a database [citation:4]. For uploads, validate file types before generating the URL [citation:6] and optionally require Content-MD5 checksums to ensure integrity [citation:4]. Apply the principle of least privilege to the IAM principal generating the URLs, restricting permissions to specific prefixes and actions [citation:4][citation:7]. Also, consider sanitizing filenames by replacing them with UUIDs to prevent path traversal attacks [citation:4].
Once a pre-signed URL expires, it cannot be reactivated or extended. Access is permanently revoked, and a new URL must be generated if continued access is needed [citation:3]. For this reason, pre-signed URLs are ideal for temporary sharing scenarios but not appropriate for long-term, persistent access.