Question posted in 
Following scenario:
I want to share s3 content for example videos, but only with people from my own aws account. I dont give public access to the bucket, but i give the permissions for every aws user from my account to get the object.
But when i share the object URL and I or other people click on the URL, they get ACCESS DENIED. Why is that? I mean should s3 not check my cookies and check, whether I am allowed? If i go into the bucket, I can click on download like I am supposed to, but I find it very confusing, that I am not able to do this with the object URL.
Is the object URL somehow constraint or does AWS not check, whether I am logged in?
2
Answers
S3 will not check if the requesting people are logged into their AWS accounts. Instead, the request must use one of the authentication methods.
If you want to share links that can be opened in a browser, pre-signed URLs are usually a good way to go. However, they expire after a maximum expiration time of 7 days. If you want longer expiration times, Cloudfront has more options to share content from S3 buckets securely.
Yes, that object URL (e.g.
https://mybucket.s3.us-east-1.amazonaws.com/cat.jpg) is only viable for publicly readable objects.Your logged-in AWS console session is with a different domain, for example
https://us-east-1.console.aws.amazon.comand your authentication to that domain is not relevant when you attempt to fetch an object URL (from a different domain).If you’re wondering how the S3 console allows you to download an object, it’s because the S3 console generates a pre-signed object URL and fetches that. It does not fetch the native object URL.