SystemOverflow
LearnObject Storage & Blob StoragePresigned URLs & Access Control3 of 6
Object Storage & Blob StoragePresigned URLs & Access ControlMedium⏱️ ~3 min

Security Model, Scoping, and Blast Radius Reduction

Definition
Presigned URL scoping limits what a URL can access and for how long. Proper scoping reduces blast radius (the damage if a URL leaks) from "entire bucket accessible indefinitely" to "single object, read only, 5 minutes."

The Four Scoping Dimensions

Every presigned URL should be scoped across four dimensions. Object scope limits access to a specific key or prefix. Signing uploads/user-123/profile.jpg prevents accessing other users files. Operation scope restricts to GET or PUT. A download URL cannot become an upload URL. Time scope sets expiration, typically 300-900 seconds for production. Longer times increase leak risk. Size scope for uploads sets content length conditions to prevent abuse.

Blast Radius Analysis

Consider what happens when a URL leaks. A poorly scoped URL might grant: access to any object in a bucket, ability to list objects, upload capability, and unlimited time. A well scoped URL limits damage to: one specific object, read or write not both, 5 minute window, no list or delete capability. A leaked poorly scoped URL could expose millions of files. A well scoped URL exposes one file briefly.

⚠️ Key Trade-off: Dedicated signing credentials per use case add operational complexity but dramatically reduce blast radius. A mobile upload signer should not have production data read access.

Credential Scope vs URL Scope

Presigned URLs inherit permissions from signing credentials. If you sign with root keys that can access all buckets, the URL inherits that broad scope regardless of intent. This creates layered security requirements. The signing credentials should have minimal permissions scoped to specific prefixes. Even with broad credential access, the URL should request specific scope. Network controls like VPC endpoints add another defense layer.

Audit and Detection

Scoping alone is insufficient without visibility. Log all URL generation with: requesting identity, requested scope, expiration time, and request context. Alert on anomalies: unusual object patterns, high generation rates, access from unexpected regions. Correlate generation logs with access logs to detect leaked URLs used from multiple IPs or regions. This detection transforms a leak from unknown breach to contained incident with clear scope.

💡 Key Takeaways
Four scoping dimensions: object (specific key/prefix), operation (GET/PUT), time (300-900 seconds), size (content length limits)
Blast radius difference: poorly scoped URL exposes millions of files indefinitely vs well scoped exposes one file for 5 minutes
URLs inherit signing credential permissions - use minimal privilege dedicated signing roles per use case
Layer defenses: credential scope plus URL scope plus network controls, with audit logging to detect leaked URLs
📌 Interview Tips
1When discussing presigned URL security, explain how you would scope upload URLs differently than download URLs with specific restrictions
2Mention blast radius analysis - calculate worst case exposure for a leaked URL under your proposed design
3Describe audit correlation between URL generation logs and access logs to detect leaked URLs from multiple locations
← Back to Presigned URLs & Access Control Overview