← All posts
2 min read

Choose a safe presigned URL expiry

#aws#cli#s3#storage#security
📑 On this page

Part 54 of AWS from Zero. This lesson keeps the scope to one S3 behavior you can verify from the terminal.

What we are learning

--expires-in is measured in seconds. The effective URL lifetime cannot outlive the credentials used to sign it.

Before you run it

aws sts get-caller-identity
REGION="ap-south-1"
BUCKET="replace-with-your-private-demo-bucket"

Use a private general purpose bucket that you own. Replace every placeholder before running a write or delete command.

The command

SHORT_URL=$(aws s3 presign \
  "s3://$BUCKET/private/report.pdf" \
  --expires-in 300 \
  --region "$REGION")

Five minutes is often enough for an immediate download flow and limits accidental sharing.

Inspect the result

echo "$SHORT_URL" | sed 's/X-Amz-Signature=[^&]*/X-Amz-Signature=REDACTED/'

When debugging, redact the signature before sharing output.

One tiny variation

aws s3 presign \
  "s3://$BUCKET/private/report.pdf" \
  --expires-in 3600 \
  --region "$REGION"

Increase lifetime only when the user journey genuinely needs it.

Common mistake

Temporary STS credentials can expire before the requested URL duration. The signature stops working when the signing credentials expire.

Cleanup

unset SHORT_URL

No server-side URL record exists. Treat generated URLs as temporary secrets.

Next, we will learn Filter a recursive S3 copy.

Official AWS CLI reference