This chapter covers two critical S3 security features: pre-signed URLs and S3 Access Points. Both are frequently tested on the SAA-C03 exam under Domain 1: Secure Architectures (Objective 1.5). Pre-signed URLs allow temporary, delegated access to S3 objects without sharing permanent credentials, while Access Points provide a scalable way to enforce granular access policies, especially for multi-tenant or VPC-restricted environments. Expect approximately 5-8% of exam questions to touch these concepts, often in scenarios involving secure content sharing or isolating S3 access within a VPC.
Jump to a section
Imagine a museum with a public entrance (the S3 bucket) and a private staff entrance (the VPC). The museum offers two ways to let people in without giving them a permanent badge. First, the museum can print a pre-signed ticket for a specific exhibit. This ticket has an expiration time printed on it, a barcode that encodes exactly which exhibit the holder can see, and a time limit. The ticket is given to a visitor who is not an employee. The visitor shows the ticket at the gate, the scanner verifies the barcode, checks the expiration, and admits the visitor to only that one exhibit. The ticket cannot be reused for another exhibit, and once expired, it is worthless. This is a pre-signed URL: a time-limited, permission-specific token given to an untrusted third party. Second, the museum can install a special turnstile at the staff entrance that only admits people with a specific badge type. The museum's security team configures the turnstile to allow only employees from the restoration department. This turnstile is an access point: a dedicated entry point with its own access policy. Employees entering through this turnstile are automatically restricted to restoration areas, even if their badge technically has access to other areas. The turnstile enforces a narrower policy on top of the badge's permissions. In AWS, a pre-signed URL delegates your IAM permissions to a specific object for a limited time, while an S3 Access Point creates a separate entry point with its own policy that can restrict access further, often used to enforce VPC origin or private network access.
What Are Pre-Signed URLs and Why Do They Exist?
A pre-signed URL is a URL that grants temporary access to a specific S3 object. It is generated by an IAM principal (user or role) that already has permissions to perform the action (GET, PUT, etc.) on the object. The URL contains cryptographic signature that proves the generator's identity and the allowed operation. Pre-signed URLs exist to solve a fundamental problem: how to give a third party (like a website visitor or a mobile app client) access to a private S3 object without embedding long-term AWS credentials in the client. Common use cases include:
Allowing users to download private files from a web application.
Enabling users to upload files directly to S3 from a browser (e.g., profile pictures).
Providing temporary access to log files for support teams.
The SAA-C03 exam tests your understanding of how pre-signed URLs are generated, their expiration behavior, and the security implications.
How Pre-Signed URLs Work Internally
When you generate a pre-signed URL using the AWS SDK or CLI, the following happens: 1. The AWS SDK constructs a canonical request string that includes: HTTP method (GET, PUT, etc.), bucket name, object key, query parameters (including expiration timestamp), and a hash of the payload. 2. The SDK signs this request using the AWS Signature Version 4 (SigV4) process. It uses the secret access key of the IAM user or role that generated the URL. 3. The resulting signature is appended as a query parameter (X-Amz-Signature). Other query parameters include:
- X-Amz-Algorithm: Always AWS4-HMAC-SHA256. - X-Amz-Credential: The access key ID and scope (date, region, service). - X-Amz-Date: The date and time the URL was generated (UTC). - X-Amz-Expires: The time in seconds until the URL expires (default 3600, max 604800 for AWS Signature Version 4). - X-Amz-SignedHeaders: Usually 'host'. 4. When a client makes an HTTP request to the pre-signed URL, S3 recomputes the signature using the same algorithm and compares it to the provided signature. If it matches and the expiration time has not passed, S3 evaluates the underlying IAM policy of the URL generator. The URL grants access only if the generator had permission at the time of use. If the generator's permissions are revoked, the pre-signed URL becomes invalid immediately, even if it hasn't expired.
Key details:
The pre-signed URL is tied to a specific object and a specific operation. You cannot create a URL that allows both GET and PUT.
The expiration time is set at generation and cannot be changed. The maximum expiration is 7 days (604800 seconds) for SigV4. For SigV2 (deprecated), it was 7 days as well.
The URL can be generated for any object in a bucket, even if the object does not exist yet (useful for PUT uploads).
Pre-signed URLs can be generated for anonymous access? No – the generator must have IAM permissions.
Configuring Pre-Signed URLs
Using AWS CLI:
aws s3 presign s3://my-bucket/my-object --expires-in 3600This outputs a URL valid for 1 hour.
Using Python SDK (boto3):
import boto3
url = boto3.client('s3').generate_presigned_url(
ClientMethod='get_object',
Params={'Bucket': 'my-bucket', 'Key': 'my-object'},
ExpiresIn=3600
)Important: The IAM user or role generating the URL must have s3:GetObject (for GET) or s3:PutObject (for PUT) permissions on the object. The URL inherits the permissions of the generator at the time of use, not at generation time.
Pre-Signed URLs for Uploads (PUT)
You can generate a pre-signed URL for PUT to allow a client to upload an object directly to S3. The client must use HTTP PUT method with the URL. The content-type and other headers must match those used during generation if they were specified. For example:
url = s3.generate_presigned_url(
ClientMethod='put_object',
Params={'Bucket': 'my-bucket', 'Key': 'uploaded-file.txt', 'ContentType': 'text/plain'},
ExpiresIn=3600
)If the client sends a different Content-Type, the request will fail with a signature mismatch.
Pre-Signed URLs vs. S3 Object ACLs vs. Bucket Policies
Pre-signed URLs are not a replacement for bucket policies or ACLs. They are a temporary delegation mechanism. The underlying object can still be private. The URL is the only way to access it without permanent credentials.
S3 Access Points – What and Why
An S3 Access Point is a network endpoint attached to an S3 bucket that has its own access policy and network controls. Each access point has a unique DNS name (e.g., my-access-point-123456789012.s3-access-point.us-east-1.amazonaws.com). Access points are designed to simplify managing access to shared datasets. For example, a bucket containing analytics data can have multiple access points: one for data scientists with read-only access, one for ingestion jobs with write access, and one for a specific VPC with restricted IP ranges.
Access points are especially useful when you need to enforce:
VPC origin: Only requests from a specific VPC can access the bucket via the access point.
Block public access: Access points can override bucket-level public access settings.
Custom policies: Each access point has its own policy document that can allow or deny actions.
How Access Points Work
When you create an access point, S3 creates a new endpoint. The access point's policy is evaluated in addition to the bucket policy and IAM user policy. The effective permissions are the intersection of all applicable policies. This means an access point cannot grant permissions that the bucket policy denies, but it can further restrict.
Access points support:
IAM policies attached to the access point (resource-based policies).
Network origin control: You can specify that the access point only accepts requests from a specific VPC (using VPC source IP or VPC ID).
Block public access settings at the access point level.
Configuring Access Points
Using AWS CLI:
aws s3control create-access-point --bucket my-bucket --name my-access-point --account-id 123456789012To attach a policy:
aws s3control put-access-point-policy --account-id 123456789012 --name my-access-point --policy file://policy.jsonExample policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/DataScientist"},
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:us-east-1:123456789012:accesspoint/my-access-point/object/*"
}
]
}Note: The resource ARN uses the access point ARN format: arn:aws:s3:region:account-id:accesspoint/access-point-name/object/*.
Access Points and VPC
You can configure an access point to only accept requests from a specific VPC. This is done by setting the VpcConfiguration parameter during creation:
aws s3control create-access-point --bucket my-bucket --name vpc-only --vpc-configuration VpcId=vpc-12345678Once set, any request that does not originate from that VPC (based on the source IP or VPC endpoint) will be denied, regardless of IAM permissions. This is enforced at the network level.
Interactions with Other AWS Services
AWS CloudFront: You can use CloudFront with an origin access control (OAC) to access S3 via an access point. The access point policy must allow the CloudFront service principal.
AWS Lambda: Lambda functions can generate pre-signed URLs using the SDK. They can also access S3 via access points if the function is configured with the appropriate VPC settings.
AWS PrivateLink: Access points can be accessed via VPC endpoints (Gateway type or Interface type). For VPC-restricted access points, you must use a VPC endpoint.
Exam Focus on Access Points
The SAA-C03 exam often presents scenarios where you need to isolate S3 access to a specific VPC. The correct answer is to create an S3 Access Point with a VPC origin restriction, combined with a bucket policy that denies all access except through that access point. Another common question involves granting different permissions to different teams using the same bucket – the solution is multiple access points with separate policies.
Generate Pre-Signed URL
An IAM user or role with s3:GetObject (or s3:PutObject) permission calls the AWS SDK or CLI to generate a pre-signed URL. The SDK constructs a canonical request including HTTP method, bucket, key, expiration time, and optionally headers. It then signs the request using the secret access key of the caller. The output is a URL with query parameters: X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, X-Amz-Expires, X-Amz-SignedHeaders, and X-Amz-Signature. The URL is valid for the specified duration (max 7 days). The URL is then shared with the end user via a secure channel (e.g., HTTPS response from a web app).
Client Requests Object via Pre-Signed URL
The client (e.g., browser, mobile app) sends an HTTP GET (or PUT) request to the pre-signed URL. The request includes all the query parameters. S3 receives the request and extracts the signature and other parameters. S3 recomputes the signature using the same algorithm, using the stored secret access key of the IAM user that generated the URL. It compares the computed signature to the provided one. If they match and the current time is before the expiration timestamp, S3 proceeds to check permissions. If the generator's IAM permissions have been revoked, the request is denied even if the URL has not expired.
S3 Evaluates Permissions
S3 evaluates the effective permissions by checking the bucket policy, IAM policy of the URL generator, and any object ACLs. For a pre-signed URL, the principal is the generator. The URL does not grant any permissions by itself; it only delegates the generator's existing permissions. If the generator had s3:GetObject at the time of the request, the request is allowed. If the generator's policy was changed to deny s3:GetObject, the request fails. This is a critical security feature: revoking the generator's permissions immediately invalidates all pre-signed URLs they created.
Create S3 Access Point
An administrator uses the AWS Management Console, CLI, or SDK to create an access point. They specify the bucket name, a unique name for the access point (within the account), and optionally a VPC ID if VPC-only access is desired. S3 creates a new DNS endpoint and an access point ARN. The access point has its own policy, which is initially empty (no permissions). The administrator then attaches a resource-based policy to the access point, specifying which principals can perform which actions on objects via this access point. The policy uses the access point ARN as the resource.
Access Object via Access Point
A user or service makes a request to the access point endpoint (e.g., my-access-point-123456789012.s3-access-point.us-east-1.amazonaws.com). The request must be made via a network path that satisfies the access point's network origin constraints (e.g., from within the specified VPC). S3 evaluates the access point policy, the bucket policy, and the IAM policy of the requester. The effective permission is the intersection of all policies. If the access point policy allows s3:GetObject for the requester, and the bucket policy does not explicitly deny it, and the IAM policy allows it, the request succeeds. The access point policy can also override bucket-level block public access settings.
Enterprise Scenario 1: Secure File Sharing for a Healthcare Portal
A healthcare company runs a patient portal that allows patients to download lab results. The results are stored as PDFs in an S3 bucket with server-side encryption. The bucket is private. The web application backend generates pre-signed URLs for each patient's specific file, with a 5-minute expiration. This ensures that only authenticated patients (after logging in) can access their own results. The pre-signed URL is generated using an IAM role that has least-privilege permissions: s3:GetObject on the specific object key pattern. The backend uses AWS Lambda to generate the URLs. The company set the expiration to 300 seconds to balance security and user experience. A common misconfiguration is setting the expiration too long (e.g., 7 days), which increases the risk of URL leakage. In production, they monitor CloudTrail for unauthorized access attempts via pre-signed URLs.
Enterprise Scenario 2: Multi-Tenant Analytics Platform with Access Points
A data analytics company provides a shared S3 bucket for multiple customers. Each customer should only see their own data, which is stored under a prefix (e.g., customer1/, customer2/). The company creates an S3 Access Point for each customer. Each access point has a policy that restricts access to objects under the corresponding prefix. For example, the access point for customer1 has a policy that allows s3:GetObject on arn:aws:s3:us-east-1:123456789012:accesspoint/customer1-ap/object/customer1/*. Additionally, each access point is configured to only accept requests from the customer's specific VPC, using VPC origin. This ensures that even if credentials are compromised, access is limited to the customer's own data and network. The bucket policy denies all access except through the access points, using a condition that checks the s3:DataAccessPointArn. This setup scales to hundreds of customers without having to manage multiple buckets.
Common Pitfalls
Pre-signed URLs with PUT: If the client sends a different Content-Type than what was used during generation, the request fails with a 403 Forbidden. Always ensure the client sends matching headers.
Access Point Policy Misconfiguration: Forgetting to include the access point ARN in the resource field of the policy leads to a 'MalformedPolicy' error. The resource must be arn:aws:s3:region:account-id:accesspoint/name/object/*.
Bucket Policy Deny Override: If the bucket policy has an explicit deny for a principal, even if the access point policy allows, the request is denied. The deny always wins.
Cross-Account Access: Pre-signed URLs generated by an IAM user in Account A can be used by anyone, but the URL only works if the bucket in Account A allows access from that IAM user. For cross-account, the bucket policy must grant access to the IAM user from Account A.
SAA-C03 Objective Codes
This topic aligns with Domain 1: Secure Architectures, Objective 1.5: 'Design secure access to AWS resources.' Specifically, questions test your ability to choose between pre-signed URLs, access points, bucket policies, and IAM policies for secure S3 access.
Common Wrong Answers and Why Candidates Choose Them
'Use a bucket policy with a condition on the source IP' – This is often chosen when the scenario requires VPC-only access. However, the exam wants you to use an S3 Access Point with VPC origin because it is more scalable and easier to manage than updating bucket policies for multiple VPCs.
'Pre-signed URLs can be generated for anonymous users' – Wrong. Pre-signed URLs require the generator to have IAM permissions. Anonymous users cannot generate them.
'A pre-signed URL remains valid even if the IAM user is deleted' – Wrong. The URL is tied to the generator's permissions at the time of use. If the user is deleted, the URL becomes invalid immediately.
'Access points replace bucket policies' – Wrong. Access point policies are evaluated in addition to bucket policies. They can only further restrict, not grant permissions that the bucket policy denies.
Specific Numbers and Terms to Memorize
Pre-signed URL maximum expiration: 604800 seconds (7 days) for SigV4.
Default expiration for aws s3 presign: 3600 seconds (1 hour).
Access point ARN format: arn:aws:s3:region:account-id:accesspoint/name.
Access point DNS format: name-account-id.s3-access-point.region.amazonaws.com.
VPC origin restriction is set at access point creation; cannot be changed later.
Edge Cases the Exam Loves
Pre-signed URL for PUT with specific headers: If the client does not include the same headers (e.g., Content-Type, x-amz-acl), the signature fails. The exam may describe a scenario where the upload fails and ask why.
Access point with bucket policy that denies all except via access point: Use a bucket policy with a condition StringNotEquals on s3:DataAccessPointArn to deny requests that do not come through an access point.
Cross-account access via access point: The access point belongs to the bucket owner's account. The granting account must create an access point and attach a policy that allows the external account. The external account's IAM must also allow s3:GetObject.
How to Eliminate Wrong Answers
If the question involves temporary access for a third party (e.g., a website visitor), eliminate any answer that suggests sharing long-term credentials. Pre-signed URLs are the solution.
If the question involves granting different permissions to different teams using the same bucket, eliminate answers that suggest multiple buckets. Access points are the solution.
If the question involves VPC-only access, eliminate answers that suggest a bucket policy with IP conditions (which is harder to manage). Access points with VPC origin are the recommended approach.
Pre-signed URLs have a maximum expiration of 7 days (604800 seconds) for Signature Version 4.
Revoking the IAM user's permissions immediately invalidates all their pre-signed URLs.
S3 Access Points can enforce VPC origin restrictions, blocking all requests from outside a specified VPC.
Access point policies are evaluated in addition to bucket policies; an explicit deny in the bucket policy always wins.
Use pre-signed URLs for temporary, object-specific access; use access points for persistent, policy-based access to datasets.
The access point ARN format is: arn:aws:s3:region:account-id:accesspoint/name.
For PUT pre-signed URLs, the client must send matching headers (e.g., Content-Type) as used during generation.
These come up on the exam all the time. Here's how to tell them apart.
Pre-Signed URLs
Temporary access delegation (max 7 days).
Tied to a specific object and operation.
Generated by an IAM principal; inherits its permissions.
No separate endpoint; uses standard S3 endpoint.
Best for sharing individual files with third parties.
S3 Access Points
Persistent, scalable access management.
Controls access to all objects under a prefix or bucket.
Has its own resource-based policy.
Provides a dedicated DNS endpoint.
Best for multi-tenant or VPC-restricted access to datasets.
Mistake
Pre-signed URLs can be used to access any object in the bucket.
Correct
A pre-signed URL is generated for a specific object key and a specific operation (GET, PUT, etc.). It cannot be used for other objects or operations. The URL contains the object key in the signature.
Mistake
Pre-signed URLs are secure because they expire; revocation of the generating user's permissions does not affect existing URLs.
Correct
Revoking the IAM user's permissions immediately invalidates all pre-signed URLs they generated, even if they have not expired. S3 checks the generator's permissions at the time of each request.
Mistake
S3 Access Points can grant permissions that the bucket policy denies.
Correct
Access point policies are evaluated in addition to bucket policies. An explicit deny in the bucket policy overrides any allow in the access point policy. Access points can only further restrict access.
Mistake
You can change the VPC restriction on an access point after creation.
Correct
The VPC configuration (VpcId) is set at creation time and cannot be modified. To change it, you must delete and recreate the access point.
Mistake
Pre-signed URLs for PUT require the object to exist before generation.
Correct
Pre-signed URLs for PUT can be generated for objects that do not yet exist. The URL grants permission to create the object. This is commonly used for direct browser uploads.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Yes, that is the purpose. A pre-signed URL can be used by anyone who has the URL, regardless of whether they have AWS credentials. The URL itself contains the authentication via the signature. However, the URL only works if the IAM user who generated it still has the required permissions at the time of the request. So, you can share the URL with an unauthenticated user (e.g., a browser) to download a private file.
The pre-signed URL becomes immediately invalid. When S3 receives a request with that URL, it attempts to verify the signature using the secret access key of the IAM user. If the user is deleted, the key no longer exists, so the signature verification fails, and S3 returns a 403 Forbidden error. This is a security feature: deleting the user revokes all their pre-signed URLs instantly.
Yes, generate a pre-signed URL for the PUT operation. The client must use HTTP PUT to the URL. You can specify allowed headers (e.g., Content-Type) during generation. If the client sends a different header, the request fails due to signature mismatch. This is commonly used for direct browser uploads to S3 without exposing AWS credentials.
You can create an access point with a VpcConfiguration specifying the VPC ID. This access point will only accept requests that originate from that VPC. Additionally, you can attach a bucket policy that denies all requests unless they come through an access point (using s3:DataAccessPointArn condition). This ensures that the bucket is only accessible from the specified VPC, even if someone has valid IAM credentials from outside.
Yes, you can generate a pre-signed URL for an object using the access point endpoint. The URL will use the access point's DNS name instead of the bucket's. The signature is computed using the access point ARN as part of the resource. The same expiration and permission rules apply. This allows you to combine temporary access with the access point's policy restrictions.
A bucket policy applies to all access to the bucket, whether via the bucket endpoint or via access points. An access point policy only applies to requests that go through that specific access point. Both are evaluated, and the effective permission is the intersection. An access point policy cannot grant access that the bucket policy denies, but it can further restrict. Access point policies are useful for granting different permissions to different users for the same bucket.
Yes, you can create an access point without a policy. However, without a policy, no access is allowed through the access point (implicit deny). You must attach a policy that explicitly grants permissions. The access point will then evaluate that policy in addition to the bucket policy and IAM policies.
You've just covered S3 Pre-Signed URLs and Access Points — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?