When is more appropriate to use S3 Pre-signed URL rather than CloudFront Signed URL? And, vice versa?
In my head – its if you want to have the ability to have maybe a Lambda function to create a Signed URL which is the served to a process which uses it rather than having direct access over the S3 URL, without having to open the Bucket up to the public. Maybe the bucket only distributes data periodically for example to customers maybe its monthly reports say, therefore a full CloudFront distribution is a bit overkill.
Pre-signed S3 URLs:
Useful whenever you want to easily provide TEMPORARY access to a protected asset.
There are two common use cases when you may want to use pre-signed S3 URLs:
Simple, occasional sharing of private files.
Frequent, programmatic access to view or upload a file in an application.
Some examples of this programmatic usage include:
Your application generates invoice PDFs at the end of a billing cycle and stores the PDFs on S3.
You need to provide a link for your users to DOWNLOAD the PDF of their invoice.
Your application can also allow users to UPLOAD videos to your S3 bucket.
You can generate a pre-signed S3 URL that can be used for POST requests. This can be useful for allowing clients to upload large files. Rather than sending the large file through your application’s servers, the client can upload the file directly from the browser via tightly-scoped permissions.
You can perform both of these operations with an AWS SDK for any language.
CloudFront Signed URLS:
This aws document link explains their use: