S3 Pre-Signed URLs in Spring Boot for Secure File Access

Many applications either expose S3 files publicly or force every file request through the backend server. Both approaches create security, scalability, or performance problems.

Pre-signed URLs solve this by allowing controlled temporary access directly from S3 while keeping authorization inside your backend.

What Are S3 Pre-Signed URLs

A pre-signed URL is a temporary link that allows access to a specific file in S3.

• generated by your backend
• valid for a limited time
• grants controlled access to a file

Why Use S3 Pre-Signed URLs

• avoid making files publicly accessible
• reduce load on your backend server
• provide time-limited access
• improve scalability

How S3 Pre-Signed URLs Work in Spring Boot

Where to Generate Pre-Signed URLs

URL generation should happen in your backend, not on the client.

• validate user identity first
• check file ownership or permissions
• generate URL only if authorized

URL url = s3Presigner.generatePresignedUrl(
    bucketName,
    objectKey,
    Duration.ofMinutes(15)
);

Recommended Spring Boot S3 File Access Structure

Keeping authentication, storage, and URL generation separated makes secure file systems easier to maintain.

src/
 ├── controller/
 ├── security/
 ├── service/
 ├── storage/
 ├── s3/
 └── config/

Why Public S3 File Access Becomes a Security Problem

Many applications expose S3 files publicly because it simplifies downloads. This becomes risky when handling private or user-specific content.

• files become accessible without authentication
• private content can leak through shared URLs
• access control becomes difficult to enforce
• backend authorization logic gets bypassed

Pre-signed URLs solve this by keeping authorization inside your backend while allowing temporary secure access directly from S3.

Controlling access duration

Pre-signed URLs should always have an expiration time.

• short duration for sensitive files
• longer duration for public-like content
• balance between usability and security

Common mistakes to avoid

• generating URLs without authorization checks
• using very long expiration times
• exposing raw S3 paths
• mixing URL generation with controller logic

When to Use S3 Pre-Signed URLs

• secure file downloads
• user-specific file access
• scalable file serving systems

Without vs with pre-signed URLs

Final thoughts

Pre-signed URLs provide a clean and scalable way to serve files securely. They reduce backend load while maintaining control over access.

When combined with proper authentication and authorization, they form a strong foundation for secure file systems.

Frequently asked questions

What is a pre-signed URL in AWS S3?

A pre-signed URL is a temporary secure link generated by your backend that grants controlled access to a specific S3 object.

Should pre-signed URLs expire?

Yes. Expiration times reduce security risks by limiting how long the URL can be used.

Why use pre-signed URLs instead of public S3 files?

Pre-signed URLs allow secure temporary access without exposing files publicly or routing downloads through your backend server.