How to authenticate the big-size file download from S3?


I am researching on the option to authenticate the big size (100MB at least) file download from S3. The very big challenge is the premise that I don't want to use Pre-signed URL for security reasons. I researched loads of posts about authentication and that all directs features to API Gateway and Lambda function, but I notice the payload/request limit for API Gateway and Lambda to be 10 MB and 6 MB. I know I certainly can truncate the file into the pieces within the limit. But I'd like to also seeking for options. Ideally what I was looking for is that the URL that I use to download the file is pretty much like a S3 Object URL but the only difference is that I provided a token (JWT or something) as a query string or some other format then the Lambda/Other services authorize the access by verifying the token using Cognito and that's it. The file download should be the same as an original download and I don't have to face the challenge on file size limit. Would that be possible? Is there any similar solution available?

  • Hi, could you explain why you don't want to use pre-signed URLs?

  • I would like my device to perform download files from S3, but we would like another authentication method to authenticate download other than AWS cli with credentials. The device would need a presigned URL to perform download using wget or something right? But I found presigned URL is only time-limited but without authentication option. I was searching for a way to have device wget an API endpoint and provides token as part of URL, then directly perform the file download. I also tried refer to bucket policy, but the IP address is not guaranteed.

2 Answers

This blog post walks through an authenticated S3 Uploader which you could modify to be a downloader. Allowing external users to securely and directly upload files to Amazon S3.

profile pictureAWS
answered 10 months ago
  • Sorry, this guide seems not helpful for reference? This tutorial directly use Amplify UI for S3 upgrade right? Isn't that all authentication and everything hidden in the Upgrade UI? Could you please provide more insights?


This is fairly old, so has probably already been solved by the OP. But as future reference for anybody finding this post -- consider using a Lambda@Edge authorizer tied into a CloudFront distribution pointing at the s3 bucket. This will avoid using pre-signed URLs without introducing file size limits.

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions