S3 Pre-signed URLs vs CloudFront Signed URLs vs Origin
Access Identity (OAI)
tutorialsdojo.com/s3-pre-signed-urls-vs-cloudfront-signed-urls-vs-origin-access-identity-oai
S3 Pre-signed URLs
All S3 buckets and
objects by default
are private. Only the
object owner has
permission to access
these objects. Pre-
signed URLs use the
owner’s security
credentials to grant
others time-limited
permission to
download or upload
objects.
When creating a pre-
signed URL, you (as
the owner) need to
provide the
following:
Your security
credentials
An S3 bucket
name
An object key
April 28,
2019
CloudFront Signed URLs Origin Access Identity
(OAI)
You can control user access to You can configure
your private content in two an S3 bucket as the
ways origin of a
Restrict access to files in CloudFront
CloudFront edge caches distribution. OAI
Restrict access to files in prevents users from
your Amazon S3 bucket viewing your S3 files
(unless you’ve by simply using the
configured it as a direct URL for the
website endpoint) file. Instead, they
You can configure CloudFront would need to
to require that users access access it through a
your files using either signed CloudFront URL.
URLs or signed cookies. You To require that
then develop your application users access your
either to create and distribute content through
signed URLs to authenticated CloudFront URLs,
users or to send Set-Cookie you perform the
headers that set signed following tasks:
cookies on the viewers for Create a
authenticated users. special
When you create signed URLs CloudFront
or signed cookies to control user called an
1/3
 Specify the access to your files, you can origin access
HTTP method specify the following identity.
(GET to restrictions: Give the
download the An expiration date and origin access
object or PUT time for the URL identity
to upload an (Optional) The date and permission to
object) time the URL becomes read the files
Expiration date valid in your
and time of the (Optional) The IP bucket.
URL. address or range of Remove
addresses of the permission
computers that can be for anyone
used to access your else to use
content Amazon S3
You can use signed URLs or URLs to read
signed cookies for any the files
CloudFront distribution, (through
regardless of whether the bucket
origin is an Amazon S3 bucket policies or
or an HTTP server. ACLs).
You cannot set OAI
if your S3 bucket is
configured as a
website endpoint.

References:

https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.ht
ml
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-
restricting-access-to-s3.html

***

AWS Certified Solutions Architect is consistently among the top paying IT certifications in the
world, considering that Amazon Web Services is the leading cloud services platform with almost
50% market share! Earn over $150,000 per year with an AWS certification!

Subscribe to our newsletter for more helpful AWS training notes and blogs like this and answer as
many AWS practice exams as you can.

Subscribe to our Newsletter

Sign up now and have the latest tech tutorials delivered straight to your mailbox.
2/3
PLUS: Upgrade your career by getting exclusive access to recent AWS exam passers' tips,
freebies, promotions and lots more!
I agree to have my personal information transfered to AWeber ( more information )

3/3