In the lecture the EC2 instance was given full Admin s3 permissions – is that the minimum amount of permissions needed?
3 Answers
Anyone with valid security credentials can create a presigned URL. However, in order for you to successfully upload an object, the presigned URL must be created by someone who has permission to perform the operation that the presigned URL is based upon.
This means you need either getobject or putobject permissions to the object in the s3 bucket depending on if you want a read or write presigned url.
The object (IAM user, EC2 instance, LAMBDA function, etc.) creating the presigned URL needs the same permissions that are intended for the presigned URL (get, put, post, etc.). If you want the user of the presignd URL to have getobject permissions then the object that creates the presigned URL needs getobject permissions to the S3 object.
One important thing to note: when creating a presigned URL there are 2 parts to the time limit and/or functioning of the presigned URL. The first is the actual explicit or implicit time limit when the presigned URL is created. The second is the existence of the object that created the presignd URL. If the object that creates the presigned URL is disabled or deleted before the time limit expires on the presigned URL the link won’t work. The link below covers this in detail.
Here is a link that covers this: https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
Actually – you don’t need any permissions to create an S3 presigned URL. The pre-signed URL can be created completely offline (without really invoking any API in the AWS).
Once the URL is used to execute the request (Get/Put Object), the AWS S3 service validates if the identity has permission for the operation and if the validity is not expired (validity limits in the already posted link ShareObjectPreSignedURL). As a side effect of this approach is that it allows to revoke access if someone already possesses a presigned url with long validity.