Advantage of authorizing direct call vs pre-signed URL for upload

0

I have an IoT environment. Things send JSON over Topics. But Things also need to upload photos to S3.

One option is to use pre-signed URLs. Another option is Direct authorization

Direct authorization appeals to me in that the same mechanism could be used for additional services if needed. (ex: direct dynamodb query).

In terms of complexity, pre-signed URLs requires topic designs, client handling of payloads, and a lambda with logic. The direct authorization requires IAM configurations, which can be tricky.

To me they appear effectively the same - just putting work in different places. Are there reasons to choose one over the other?

Fergus
asked a month ago40 views
2 Answers
2
Accepted Answer

Both pre-signed URLs and direct authorization for uploading to S3 have their own advantages, but they primarily differ in terms of security, flexibility, and complexity.

Pre-signed URLs are simple and secure for limited operations like uploading to S3. They are temporary, provide a secure, time-bound way for your IoT devices to upload directly without exposing broader permissions, and require minimal IAM configuration. However, they require a Lambda function to generate the URL and some additional client-side logic to handle the upload. Pre-signed URLs are a great choice when you want to limit what your IoT devices can do to very specific, controlled actions without broader access to AWS services.

Direct authorization, on the other hand, provides more flexibility, allowing the IoT devices to interact directly with multiple AWS services (like S3, DynamoDB, etc.) via appropriate IAM roles. While this can simplify authorization across services, it introduces greater complexity in terms of managing fine-grained IAM permissions and ensuring secure access. Direct authorization is useful when you need your devices to perform a variety of tasks beyond just uploading to S3, but it can increase the risk of misconfigurations or overly broad permissions.

The choice between pre-signed URLs and direct authorization depends on the scope of tasks your IoT devices need to perform. For simple, controlled uploads, pre-signed URLs are easier to manage and secure. If broader service interaction is needed, direct authorization may offer more flexibility but comes with added complexity and security considerations.

profile picture
EXPERT
answered a month ago
2

Direct authorization, or the AWS IoT credential provider, provides the most flexibility if your local device can utilize SigV4 signing of AWS calls (e.g., S3 PutObject).

The IAM roles do not need to be complex or unwieldy. By creating an IAM role that uses policy variables such as credentials-iot:ThingName, you can structure the policy to allow things to only upload to a specific S3 prefix. And as you called out, this pattern can be applied to other AWS services too. This is mainstay of how AWS IoT Greengrass addresses credentials for edge components too.

It is a best practice to use the credential provider if possible, and then fall back to other methods such as MQTT request/response to obtain a pre-signed URL for use.

AWS
Gavin_A
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions