- 最新
- 投票最多
- 评论最多
You've probably got this under control but just in case - note the expiry time is in GMT, so are you definitely checking after your local time is past 2022-04-24 11:33:00 GMT?
I had the same issue, cloudfront signed url for private objects in s3 still valid after expiry date/time
example url
https://my-cdn.com/object-id.jpg?Expires=1666654240446&Key-Pair-Id=XXX&Signature=XXX
Hi Techxonia!
Thank you for reaching out to us with your concern. When you create a presigned URL, you can specify an expiration time, after which the signed URL you created will not work. In your case, however, it seems to be that even after this set expiration time the link is still valid.
The reason that this is happening is because the expiration time for the pre-signed URL is checked by S3, and if the browser / proxy you are using has the file cached (Cloudfront in this case), then the request doesn't go to S3, it will go to the cache first. If the entry exists in the cache, then that is why you are able to see it after the expiry date. The same user can access the URL after the expiry date, until the cache expires.
Additional Solutions if the above explanation is not sufficient and you would like to delete it:
-
Delete the file so that it doesn't exist anymore.
-
You can create a presigned URL for temporary S3 objects, so that once the expiry time hits, the S3 temporary object is automatically deleted, and therefore it is not accessible after the expiry date.
-
Can change the file's permissions to remove access for the users who shouldn't have access. Can use the AWS CLI or the SDK to do so.
Example: aws s3api put-object-acl --bucket my-bucket --key my-file.txt --acl private --grant-read "emailaddress=user@example.com"
This command sets the file's ACL to private, meaning that only the owner has access to it. And we also remove read access to the file for the person at the email address.
Conclusion: All in all, the issue likely resolves in the fact that the data is being stored in the cache and when using the presigned URL, you are getting the info from the cache rather than from where the information lies and this is why you are seeing it work even after the expiry is done. To triple check if this is the case, you can open an incognito (private) browser and open the link there.
相关内容
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
I am checking after past 2022-04-24 11:33:00 GMT. With this signed url opens in android chrome browser but doesnot open in Windows chrome (clear all data).