{"id":7982,"date":"2023-03-16T09:00:00","date_gmt":"2023-03-16T09:00:00","guid":{"rendered":"https:\/\/www.withsecure.com\/?post_type=lab_item&#038;p=7982"},"modified":"2026-05-22T12:52:18","modified_gmt":"2026-05-22T11:52:18","slug":"pre-signed-at-your-service","status":"publish","type":"lab_item","link":"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/pre-signed-at-your-service\/","title":{"rendered":"Pre-signed at your service"},"content":{"rendered":"<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 wp-block-one-column-block--meta-sharing layout--spacing-xxxxl-top layout--spacing-xl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                            <div class='wp-block-one-column-block__meta-sharing-grid'><div class=\"wp-component-content wp-component-content--default wp-block-one-column-block__content fade-in\">\n            <h1 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Pre-signed at <span class=\"blue-text\">your service<\/span><\/h1>                    <div class=\"wp-component-content__inner\">\n                                                    <div class=\"wp-component-content__meta\">\n                                                                            <span class=\"wp-component-content__meta-categories\">\n                                                                    <span class=\"wp-component-content__meta-category\">\n                                        Identity security                                    <\/span>\n                                                            <\/span>\n                                                                                                    <span class=\"wp-component-content__meta-date\">\n                                16 March, 2023                            <\/span>\n                                                                    <\/div>\n                                            <\/div>\n                <\/div><section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--content-1 wp-block-sharing-icons--disable-container wp-block-one-column-block__sharing fade-in wp-block-one-column-block__sharing fade-in\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/pre-signed-at-your-service\/&#038;title=Pre-signed%20at%20your%20service\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Pre-signed at your service&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/pre-signed-at-your-service\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n<\/div>                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-one-column-block edwp-block js-wp-block-one-column-block wp-block-one-column-block--content-1 layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-one-column-block__container\">\n                                                                                                                                    <div class=\"wp-component-image__wrapper wp-block-one-column-block__image fade-in\">\n                    <figure class=\"wp-component-image__figure\">\n                                            <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp\" class=\"wp-component-image\n                            wp-component-image--desktop\n                            wp-component-image--mobile\n                            wp-component-image--ratio-content-25-1 wp-component-image--fit-cover\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_insights-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                                                    <\/figure>\n                    <\/div>\n                                                                                <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-two-column-block edwp-block js-wp-block-two-column-block wp-block-two-column-block--content-1 wp-block-two-column-block__left--align-y-top wp-block-two-column-block__right--align-y-top wp-block-two-column-block--split-sidebar layout--none-top layout--spacing-xxxl-bottom\"\n    data-block-id=\"block_2f2c7c6979619b4685f401cee4b982fe\"\n    >\n    <div class=\"wp-block-two-column-block__container row-load\">\n                                                        <div class=\"wp-block-two-column-block__left\">\n                                    <div class=\"wp-component-authors-list wp-block-two-column-block__authors\">\n                    <p class=\"wp-component-authors-list__title\">\n                Authors            <\/p>\n        \n        <div class=\"wp-component-authors-list__items\">\n                                                <div class=\"wp-component-author-card \">\n    <div class=\"wp-component-author-card__media\">\n                    <span class=\"wp-component-author-card__photo-placeholder\" aria-hidden=\"true\">\n                <svg viewBox=\"0 0 64 64\" role=\"presentation\" focusable=\"false\">\n                    <path d=\"M32 34c-8.1 0-14.7 6.6-14.7 14.7v3.5h29.4v-3.5C46.7 40.6 40.1 34 32 34z\"><\/path>\n                    <path d=\"M32 31.2c6 0 10.9-4.9 10.9-10.9S38 9.4 32 9.4s-10.9 4.9-10.9 10.9S26 31.2 32 31.2z\"><\/path>\n                <\/svg>\n            <\/span>\n            <\/div>\n    <div class=\"wp-component-author-card__content\">\n                    <h3 class=\"wp-component-author-card__name\">Robert de Jager<\/h3>\n        \n                \n            <\/div>\n\n<\/div>\n\n                                    <\/div>\n\n            <\/div>\n<nav\n    class=\"wp-component-content-navigation wp-block-two-column-block__content-nav js-content-navigation\"\n    data-bem-base=\"wp-component-content-navigation\"\n    data-nav-column=\"left\"\n    data-nav-type=\"auto\"\n>\n            <p class=\"wp-component-content-navigation__title\">\n            Content        <\/p>\n    \n    <div class=\"wp-component-content-navigation__mobile\">\n        <label class=\"wp-component-content-navigation__mobile-label\">\n            <span class=\"wp-component-content-navigation__mobile-label-text\">\n                Content navigation            <\/span>\n            <select class=\"wp-component-content-navigation__select js-content-navigation-select\">\n                <option value=\"\">\n                    Select a section                <\/option>\n                            <\/select>\n        <\/label>\n    <\/div>\n\n    <div class=\"wp-component-content-navigation__desktop\">\n        <div class=\"wp-component-content-navigation__list-wrapper\">\n            <span\n                class=\"wp-component-content-navigation__indicator js-content-navigation-indicator\"\n                aria-hidden=\"true\"\n            ><\/span>\n            <ul class=\"wp-component-content-navigation__list js-content-navigation-list\">\n                            <\/ul>\n        <\/div>\n    <\/div>\n<\/nav>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__hide-mobile wp-block-two-column-block__share wp-block-two-column-block__hide-mobile\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/pre-signed-at-your-service\/&#038;title=Pre-signed%20at%20your%20service\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Pre-signed at your service&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/pre-signed-at-your-service\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                                                <div class=\"wp-block-two-column-block__right\">\n                                <div class=\"wp-component-paragraph wp-block-two-column-block__paragraph \">\n    <h2>Summary<\/h2>\n<p>The AWS S3 pre-sign URL functionality is pretty well documented. However, when combined with IAM role assumption, specifically with Service Roles, there are risks that present themselves that an average AWS admin might not be aware of.<\/p>\n<p>For example, should an EC2 instance with S3 access be compromised, a malicious actor could make use of a pre-signed URL to maintain temporary access to an S3 object. In my tests this allowed me to maintain access for just over 6 hours. The access was persistent even after the instance that created the pre-signed URL was terminated. Pre-signed URL usage is logged in the logs from AWS S3 and CloudTrail services. But requires specific logging events that are not turned on by default, which could result in malicious usage being impossible to track.<\/p>\n<p>These risks are important to be aware of in the event that a malicious actor gains access to critical data stored in S3. Using a pre-signed URL a malicious actor might be able to exfiltrate data from S3 even after the original method of entry was removed. Combining this with potentially not having the required logging enabled, could result in making discovery of this exfiltration problematic. This article will cover these risks in more detail.<\/p>\n<h2>What are pre-signed URLS?<\/h2>\n<p>Perhaps a lesser-known feature of the AWS S3 service, pre-signed URLs allow users to share access to specific S3 objects via a hyperlink. This means if an external party is given a pre-signed URL, for a limited time, they will be able to access this object even if the bucket and objects are private. AWS documentation recommends great care be taken when making use of pre-signed URLs and understandably so.<\/p>\n<p>Pre-signed URLs can be generated with a specific time to live <a href=\"https:\/\/awscli.amazonaws.com\/v2\/documentation\/api\/latest\/reference\/s3\/presign.html\" target=\"_blank\" rel=\"noopener\">[1]<\/a>. This means it\u2019s not possible to generate a pre-signed URL for long-term use but the time it is active for is still quite lengthy. The maximum time to live for a pre-signed URL is broken down in the documentation as 6 hours for an instance profile, 36 hours for an IAM user and 7 days for an IAM user using Signature Version 4 <a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/ShareObjectPreSignedURL.html\" target=\"_blank\" rel=\"noopener\">[2]<\/a>. Should a pre-signed URL ever be leaked or should a malicious actor gain access to creating a pre-signed URL, these timeframes could be enough time for them to carry out any work they have planned. Such as exfiltrating multiple sensitive S3 objects. Or in the event they have PUT access, overwriting existing S3 objects with malicious payloads.<\/p>\n<p>Read-only access is often seen as a relatively safe level of access to give to users as they will be unable to actively change resources, only read them. Or in the case of AWS S3, access the objects in a controlled and expected fashion. However, read access given to an AWS S3 object has a caveat. The minimum permission required to generate a pre-signed URL is read-only access to the S3 bucket\/object. This could lead to objects being accessed in ways that are not expected. For example, an admin could give read access for a console user to an S3 object. Expecting them to access the object from their work laptops, using the AWS console and MFA. However, after doing this once, the user could generate a pre-signed URL to avoid having to do this again for as long as the pre-signed URL is valid. This also allows users to be able to access the private S3 object from over the internet regardless of device\/IP (unless the bucket policy explicitly denies this).<\/p>\n<p>Apart from accessing objects, pre-signed URLs can also be used to delete or upload S3 objects. Due to time constraints I only cover accessing objects here, but there\u2019s more to play around with.<\/p>\n<h2>Risk 1 &#8211; Observability<\/h2>\n<p>Currently there are no events logged or available for the creation of a pre-signed URL on AWS. Running tests, I found that both S3 and CloudTrail could not pick up the creation of a pre-signed URL only the use of one. This means if a malicious user created a pre-signed URL, they could store it for later use.<\/p>\n<p>Once the created pre-signed URL was used, there are two ways to detect it. The first is CloudTrail Data Events <a href=\"https:\/\/docs.aws.amazon.com\/awscloudtrail\/latest\/userguide\/logging-data-events-with-cloudtrail.html\" target=\"_blank\" rel=\"noopener\">[5]<\/a>, which is not enabled by default due to the increased costs it would create. The next was to enable S3 Access Logging <a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/enable-server-access-logging.html\" target=\"_blank\" rel=\"noopener\">[6]<\/a>. This is another logging mechanism that is not enabled by default. An admin might not want to enable these for an S3 bucket that is set to private, as it would incur additional costs for arguably not much gain. However, without these logging mechanisms pre-signed URL usage wouldn\u2019t be visible.<\/p>\n<p>If CloudTrail data events and S3 access logging were enabled, it would show that a pre-signed URL was used to access a bucket, from some external IP using a role or user, but by that point the damage is already done. This logging information would only show what data the malicious actor accessed. As such logging should be seen as an analysis tool and not a safeguard in this situation. I cover some preventative measures in the caveats section below.<\/p>\n<h2>Risk 2 &#8211; Service Roles<\/h2>\n<p>Let us assume that a malicious actor gained unauthorized access to an EC2 instance that had read access to an S3 bucket by way of a service role (attached by IAM Instance Profile). The malicious actor generates a pre-signed URL on the EC2 instance for an object they want to exfiltrate.<\/p>\n<p>A sharp-eyed admin notices strange behavior and either isolates, shuts down, or panics and terminates the EC2 instance completely. The admin or investigation team may think that the malicious actor no longer has access to anything as the server that made use of the role is gone. This is an incorrect assumption. The malicious actor can no longer generate a new pre-signed URL but unless the current service role sessions are revoked, the malicious actor can still make use of the existing pre-signed URL to access the S3 object from outside of the estate. This access would last for 6 hours according to the pre-sign documentation <a href=\"https:\/\/repost.aws\/knowledge-center\/presigned-url-s3-bucket-expiration\" target=\"_blank\" rel=\"noopener\">[3]<\/a> and when running tests I found it to be between 6 \u2013 6.5 hours.<\/p>\n<p>As an aside the AWS documentation does mention revoking role sessions for any roles that are no longer required<a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_roles_use_revoke-sessions.html\" target=\"_blank\" rel=\"noopener\">[4]<\/a>. However, what happens if the service role is still required by other running workloads and revoking all current sessions would impact workloads detrimentally? An admin might not be able to quickly revoke sessions in this case.<\/p>\n<p>Additionally, I could see no easy way to find active role sessions in the AWS IAM service to allow me to pick and choose which sessions I wanted to revoke. Revoking an active session in AWS means clicking a button in the IAM service for the role, that causes AWS to generate an inline policy. Once this policy is approved by an admin, it will then be applied to the role in question. An example of the inline policy can be seen in the appendix below.<\/p>\n<p>An admin or investigator would need to use AWS CloudTrail with data events enabled to see which role was being misused. Once done they can navigate to the role in the AWS IAM service, select revoke sessions and revoke all current sessions. This meant that all role sessions up until a specific time had to be revoked. This could be a bit of a sticky situation for services that assume the same role. The scope of this blanket revocation could be made smaller by noting the timestamp the of the malicious role assumption in CloudTrail and editing the inline policy that is created when revoking sessions, specifying a more detailed TokenIssueTime.<\/p>\n<h2>Risk 3 \u2013 IAM User<\/h2>\n<p>Even though it was a Service Role attached to an EC2 instance that piqued my interest I ran some additional tests looking at IAM Users, the two most noteworthy:<\/p>\n<p>Creating a pre-signed URL using a User Account<\/p>\n<p>Using a User account with S3 access given directly by policy, I generated a pre-signed URL. Once the user was deleted, the pre-signed URL no longer worked as it was dependent on the IAM user and not a role. This was as expected.<\/p>\n<h3>Creating a pre-signed URL Using a role<\/h3>\n<p>Using a sts assume role that the IAM user assumed, I generated a pre-signed URL. After deleting the user, the pre-signed URL continued to work for 1 hour as is documented in the AWS documentation <a href=\"https:\/\/repost.aws\/knowledge-center\/presigned-url-s3-bucket-expiration\" target=\"_blank\" rel=\"noopener\">[3]<\/a>. This one hour is a narrow window to do anything interesting but could still be useful.<\/p>\n<h3>Caveats<\/h3>\n<p>There are some caveats to using pre-signed URLs. Network control affects pre-signed URLs. Meaning that network access control lists, security groups, firewalls or any network traffic management to the S3 bucket will be able to block pre-signed URLs from being used. For example, ensuring that S3 bucket policies only allow access from expected IPs. However S3 buckets are often not configured to sit behind these network tools due to the assumption that their native permissions management will deal with any threat. (For example if the bucket is private, the objects are private and the public-access-block is locked down, then it could be assumed there isn\u2019t any risk but as we\u2019ve seen above this is not necessarily true).<\/p>\n<p>There is a caveat to keep in mind with S3 access logs. When reading an S3 access log looking for pre-signed URL usage, it is expected to see at least one entry marked as \u2018Access Denied\u2019. This can be confusing at a glance as it could be incorrectly assumed the get request originating from the pre-signed URL was denied. This may not be correct. It is important to pay attention to the object that was being accessed. For example, when investigating S3 access logs there will be an access denied message as the request attempts to grab a favicon.ico along with the actual payload object. The favicon.ico will have access denied as the pre-signed URL can only access the S3 object it was given access to. When investigating S3 access logs, special attention should be taken to narrow down on the S3 object being investigated.<\/p>\n<h2>Future Work<\/h2>\n<p>What follows may be some areas of interest for additional research for a security researcher to investigate in the future. These areas were identified while pre-signed URLs were being investigated but did not fit the scope of this article.<\/p>\n<h3>Experiment with AWS Service-Linked roles<\/h3>\n<p>As a future work, looking at the AWS documentation it states that service-linked roles cannot be revoked. Even though I could see no way of using a service-linked role with pre-signed URLs, if it was ever possible, the admin would have no choice but to wait out the role sessions time to live.<\/p>\n<h3>Explore AWS Signature Version 4 and IAM users<\/h3>\n<p>Making use of AWS Signature Version 4 could allow pre-signed URLs to remain valid for 7 days. However as the time to live for pre-signed URLs are overruled by the temporary credential that created them this might not be as useful. Further investigation into AWS Signature Version 4 could be interesting.<\/p>\n<h3>Experiment with PUT object by way of pre-signed URL in S3 combined with AWS Lambda<\/h3>\n<p>In theory, if a developer who was working with lambda functions, accidentally leaked, or committed credentials, a malicious actor could use these to overwrite code if the credentials allowed PUT in S3. The malicious actor could generate a pre-signed URL and use it to overwrite a lambda archive that was stored in S3, with a malicious one. If the pre-signed URL was created by assuming a role first, then the malicious actor would have 1 hour to do this. Even after the developer credentials were deleted or rotated.<\/p>\n<h2>Conclusion<\/h2>\n<p>Even though this is a pretty niche use case, I\u2019d like to end the article by stating that if any external access is given to an S3 bucket, regardless of methodology, access logging should always be enabled on the S3 bucket. Additionally ensure the S3 bucket policy limits network access to expected sources. When it comes to compromised users and services, rotating credentials is a good first step. But it is also important to revoke any current role sessions that might have ties to the compromised entity to ensure malicious access is fully purged.<\/p>\n<h2>References<\/h2>\n<p>[1] <a href=\"https:\/\/awscli.amazonaws.com\/v2\/documentation\/api\/latest\/reference\/s3\/presign.html\" target=\"_blank\" rel=\"noopener\">https:\/\/awscli.amazonaws.com\/v2\/documentation\/api\/latest\/reference\/s3\/presign.html<\/a><\/p>\n<p>[2] <a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/ShareObjectPreSignedURL.html\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/ShareObjectPreSignedURL.html<\/a><\/p>\n<p>[3] <a href=\"https:\/\/repost.aws\/knowledge-center\/presigned-url-s3-bucket-expiration\" target=\"_blank\" rel=\"noopener\">https:\/\/repost.aws\/knowledge-center\/presigned-url-s3-bucket-expiration<\/a><\/p>\n<p>[4] <a href=\"https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_roles_use_revoke-sessions.html\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.aws.amazon.com\/IAM\/latest\/UserGuide\/id_roles_use_revoke-sessions.html<\/a><\/p>\n<p>[5] <a href=\"https:\/\/docs.aws.amazon.com\/awscloudtrail\/latest\/userguide\/logging-data-events-with-cloudtrail.html\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.aws.amazon.com\/awscloudtrail\/latest\/userguide\/logging-data-events-with-cloudtrail.html<\/a><\/p>\n<p>[6] <a href=\"https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/enable-server-access-logging.html\" target=\"_blank\" rel=\"noopener\">https:\/\/docs.aws.amazon.com\/AmazonS3\/latest\/userguide\/enable-server-access-logging.html<\/a><\/p>\n<h2>Appendix<\/h2>\n<p>The use of the pre-signed URL after it was generated was visible in CloudTrail, if the CloudTrail in question had Data Events enabled. This makes sense as behind the scenes the pre-sign URL makes an S3 GetObject request. Below is an example of what a pre-signed URL looks like when captured as a CloudTrail data event. Following it is an example of a pre-signed URL being captured by an S3 access logging event. Finally, as mentioned earlier, is an example of what an autogenerated revoke inline policy looks like.<\/p>\n<p>CloudTrail Data Event S3 Object Access Sample<\/p>\n<pre><code class=\"language-bash\">{\r\n      \"eventVersion\": \"1.08\",\r\n      \"userIdentity\": {\r\n        \"type\": \"IAMUser\",\r\n        \"principalId\": \"AIDA5WBGGGGGGG5GGMG5G\",\r\n        \"arn\": \"arn:aws:iam:: 112233445566:user\/personal_research\",\r\n        \"accountId\": \"112233445566\",\r\n        \"accessKeyId\": \"AKIA5GGGGGGGGGGGGG5C\",\r\n        \"userName\": \"personal_research\"\r\n      },\r\n      \"eventTime\": \"2023-01-30T16:48:09Z\",\r\n      \"eventSource\": \"s3.amazonaws.com\",\r\n      \"eventName\": \"GetObject\",\r\n      \"awsRegion\": \"eu-west-1\",\r\n      \"sourceIPAddress\": \"xx.xx.xx.xxx\",\r\n      \"userAgent\": \"[Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko\/20100101 Firefox\/109.0]\",\r\n      \"requestParameters\": {\r\n        \"X-Amz-Date\": \"20230130T161448Z\",\r\n        \"bucketName\": \"rob-presign-test\",\r\n        \"X-Amz-Algorithm\": \"AWS4-HMAC-SHA256\",\r\n        \"X-Amz-SignedHeaders\": \"host\",\r\n        \"Host\": \"bucket-presign-test.s3.eu-west-1.amazonaws.com\",\r\n        \"X-Amz-Expires\": \"3600\",\r\n        \"key\": \"payload.txt\"\r\n      },\r\n      \"responseElements\": null,\r\n      \"additionalEventData\": {\r\n        \"SignatureVersion\": \"SigV4\",\r\n        \"CipherSuite\": \"ECDHE-RSA-AES128-GCM-SHA256\",\r\n        \"bytesTransferredIn\": 0,\r\n        \"AuthenticationMethod\": \"QueryString\",\r\n        \"x-amz-id-2\": \"obn7nIzyKIEQobBYk4SSTteqhZnuAlkaR9ryBeJVSrRrgJFCr2GBjsj2qrFXfmkGJdr6CQ8yyOQ=\",\r\n        \"bytesTransferredOut\": 36\r\n      },\r\n      \"requestID\": \"FR5VM8F8DNSQZZ1X\",\r\n      \"eventID\": \"08a86633-23ac-42ca-a8d5-635c44b247d6\",\r\n      \"readOnly\": true,\r\n      \"resources\": [\r\n        {\r\n          \"type\": \"AWS::S3::Object\",\r\n          \"ARN\": \"arn:aws:s3:::bucket-presign-test\/payload.txt\"\r\n        },\r\n        {\r\n          \"accountId\": \"112233445566\",\r\n          \"type\": \"AWS::S3::Bucket\",\r\n          \"ARN\": \"arn:aws:s3:::bucket-presign-test\"\r\n        }\r\n      ],\r\n      \"eventType\": \"AwsApiCall\",\r\n      \"managementEvent\": false,\r\n      \"recipientAccountId\": \"112233445566\",\r\n      \"eventCategory\": \"Data\",\r\n      \"tlsDetails\": {\r\n        \"tlsVersion\": \"TLSv1.2\",\r\n        \"cipherSuite\": \"ECDHE-RSA-AES128-GCM-SHA256\",\r\n        \"clientProvidedHostHeader\": \"bucket-presign-test.s3.eu-west-1.amazonaws.com\"\r\n      }\r\n    },<\/code><\/pre>\n<p>S3 Access Log Pre-Signed URL Data Download Example<\/p>\n<pre><code class=\"language-bash\">133ad5f654eff80f3d0499b45ec198edd71a6055a67bc8be16e8a8dfd9f26d0f bucket-presign-test [07\/Mar\/2023:17:49:10 +0000] 60.95.35.155 - 02X7MFB8JN5CAVHN REST.GET.OBJECT favicon.ico \"GET \/favicon.ico HTTP\/1.1\" 403 AccessDenied   243 - 8 - \"https:\/\/bucket-presign-test.s3.eu-west-1.amazonaws.com\/payload.txt?response-content-disposition=inline&amp;X-Amz-Security-Token=[TOKEN REDACTED]&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Date=20230307T174602Z&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Expires=21599&amp;X-Amz-Credential=ASIAXXXXXXXXXXXXXXXX%2F20230307%2Feu-west-1%2Fs3%2Faws4_request&amp;X-Amz-Signature=6073c2a55069f0d82810e4f57a56ed666bbfe0c78836c72358a2906215f799aa\" \"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36\" - dQRw6wN7WgdfU7O8Sv5DiOB4HbMViH3ICL\/GwoT84nh1sf0186bKghbFSEpmaJV\/ZLEyUXmLu7M= - ECDHE-RSA-AES128-GCM-SHA256 - bucket-presign-test.s3.eu-west-1.amazonaws.com TLSv1.2 - -\r\n133ad5f654eff80f3d0499b45ec198edd71a6055a67bc8be16e8a8dfd9f26d0f bucket-presign-test [07\/Mar\/2023:17:49:10 +0000] 60.95.35.155 133ad5f654eff80f3d0499b45ec198edd71a6055a67bc8be16e8a8dfd9f26d0f 02XBV9B4643K7RPQ REST.GET.OBJECT payload.txt \"GET \/payload.txt?response-content-disposition=inline&amp;X-Amz-Security-Token=[TOKEN REDACTED]&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Date=20230307T174602Z&amp;X-Amz-SignedHeaders=host&amp;X-Amz-Expires=21599&amp;X-Amz-Credential=ASIAXXXXXXXXXXXXXXXX%2F20230307%2Feu-west-1%2Fs3%2Faws4_request&amp;X-Amz-Signature=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP\/1.1\" 200 - 11 11 16 15 \"-\" \"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/110.0.0.0 Safari\/537.36\" - \/7m1K+gVNSZFEWcw0FjvMD38KykKc+RVzIwK8CxayuM0LUTOmkM7yy4htJm9\/RUv\/br3iVLBc5g= SigV4 ECDHE-RSA-AES128-GCM-SHA256 QueryString bucket-presign-test.s3.eu-west-1.amazonaws.com TLSv1.2 - -<\/code><\/pre>\n<p>Example of Revoke Inline Policy<br \/>\n<code><\/code><\/p>\n<pre><code class=\"language-bash\">{\r\n    \"Version\": \"2012-10-17\",\r\n    \"Statement\": [\r\n        {\r\n            \"Effect\": \"Deny\",\r\n            \"Action\": [\r\n                \"*\"\r\n            ],\r\n            \"Resource\": [\r\n                \"*\"\r\n            ],\r\n            \"Condition\": {\r\n                \"DateLessThan\": {\r\n                    \"aws:TokenIssueTime\": \"[policy creation time]\"\r\n                }\r\n            }\r\n        }\r\n    ]\r\n}<\/code><\/pre>\n<p>&nbsp;<\/p>\n<\/div>\n<section\n    class=\"wp-block-sharing-icons edwp-block wp-block-sharing-icons--disable-border wp-block-sharing-icons--disable-container wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right wp-block-two-column-block__share wp-block-two-column-block__mobile-after-right\"\n    >\n    <div class=\"wp-block-sharing-icons__container\">\n        <div class=\"wp-block-sharing-icons__inner\">\n                            <p class=\"wp-block-sharing-icons__title fade-in\">\n                    Share this story                <\/p>\n                        <div class=\"wp-component-socials wp-component-socials--dark-mode\">\n    \n            <a href=\"https:\/\/www.linkedin.com\/shareArticle?mini=true&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/pre-signed-at-your-service\/&#038;title=Pre-signed%20at%20your%20service\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link\" title=\"Share on Linkedin\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#linkedin'><\/use>\n            <\/svg>        <\/a>\n    \n            <a href=\"http:\/\/x.com\/share?text=Pre-signed at your service&#038;url=https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/pre-signed-at-your-service\/\" target=\"_blank\" rel=\"noreferer noopener\" class=\"wp-component-socials__link wp-component-socials__link--twitter\" title=\"Share on Twitter\">\n            <svg class='edwp-icon edwp-icon--xlg js-icon ' aria-hidden='true'>\n                <use xlink:href='#x'><\/use>\n            <\/svg>        <\/a>\n    \n    \n    <\/div>\n        <\/div>\n    <\/div>\n<\/section>\n                <\/div>\n                        <\/div>\n<\/section>\n\n\n<section\n    class=\"wp-block-cta-banner edwp-block js-wp-block-cta-banner wp-block-cta-banner--style-icon wp-block-cta-banner--no-image layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cta-banner__container\">\n        <div class=\"wp-block-cta-banner__box row-load\">\n            <div class=\"wp-component-content wp-component-content--help-text wp-component-content--dark wp-block-cta-banner__content\">\n                        <div class=\"wp-component-content__inner\">\n                <h2 class=\"wp-component-heading text--h2 wp-component-heading--dark wp-component-content__title\">\n    What <span class=\"blue-text\">next?<\/span><\/h2>                                    <div class=\"wp-component-content__content wysiwyg wysiwyg--dark\">\n                        <div class=\"wp-component-paragraph wp-component-paragraph--dark\">\n    <p class=\"text--p-medium\">Discover WithSecure\u2122 Elements Exposure Management.<br \/>\n&#8211; No credit card required. No obligations.No complexity.<\/p>\n<\/div>\n                    <\/div>\n                            <\/div>\n                            <div class=\"wp-component-content__buttons\">\n                <a class=\"wp-component-button btn btn--primary btn--dark\" href=\"https:\/\/www.withsecure.com\/en\/contact-us\/\">Contact us<\/a>            <\/div>\n                <\/div>                    <\/div>\n    <\/div>\n<\/section>\n\n\n\n\n<section\n    class=\"wp-block-cards edwp-block wp-block-cards--col-3 js-wp-block-cards wp-block-cards--show-overflow wp-block-cards--auto-slides-per-view layout--spacing-xxxl-top layout--spacing-xxxl-bottom\"\n    >\n    <div class=\"wp-block-cards__container\">\n        <div class=\"wp-component-content wp-component-content--default wp-block-cards__content\">\n            <h2 class=\"wp-component-heading text--h2 wp-component-content__title\">\n    Related <span class=\"blue-text\">Labs content<\/span><\/h2>                    <div class=\"wp-component-content__inner\">\n                                    <div class=\"wp-component-content__content wysiwyg\">\n                        <div class=\"wp-component-paragraph \">\n    <p class=\"text--p-medium\"><span data-teams=\"true\">Find related content relating to this topic.<\/span><\/p>\n<\/div>\n                    <\/div>\n                                                            <\/div>\n                <\/div>                            <div\n                class=\"swiper wp-block-cards__swiper js-wp-block-cards-swiper\"\n                data-slides-per-view-desktop=\"auto\"\n                data-slides-per-view-tablet=\"auto\"\n                data-slides-per-view-mobile=\"auto\"\n            >\n                <div class=\"swiper-wrapper wp-block-cards__swiper-wrapper row-load\">\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">AI security<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">GREYVIBE: A Russia-nexus group leveraging AI across state-aligned operations<\/h3>\n                                    <p class=\"wp-component-card-insight__read-time\">15<\/p>\n                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/greyvibe\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"618\" height=\"440\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder.jpg.webp 618w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-300x214.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-447x318.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/placeholder-205x146.jpg.webp 205w\" sizes=\"auto, (max-width: 618px) 100vw, 618px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                            <h3 class=\"wp-component-card-insight__title\">WithSecure uncovers Russia-nexus threat group using AI to target Ukraine and European organisations<\/h3>\n                                                    <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/10919\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                            <div class=\"swiper-slide wp-block-cards__slide\">\n                            <div class=\"wp-component-card-insight wp-block-cards__card\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp\" class=\"wp-component-card-insight__image\" alt=\"\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research.jpg.webp 1200w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-300x200.jpg.webp 300w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-1024x683.jpg.webp 1024w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-768x512.jpg.webp 768w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-447x298.jpg.webp 447w, https:\/\/www.withsecure.com\/wp-content\/smush-webp\/2026\/05\/ws_labs_research-219x146.jpg.webp 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Attack Detection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Software Protection<\/span>\n                                            <span class=\"wp-component-card-insight__category\">Threat intelligence<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">DarkGate Rises: New version of DarkGate malware hunts like a Duck but bites like a RAT<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">Source: https:\/\/labs.withsecure.com\/publications\/darkgate-rises<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/darkgate-rises\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>                        <\/div>\n                                    <\/div>\n                <div class=\"wp-block-cards__nav fade-in\">\n                    <div class=\"wp-block-cards__pagination js-wp-block-cards-pagination\">\n                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-prev\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                    <div class=\"wp-block-cards__nav-arrow js-wp-block-cards-nav-next\">\n                        <svg class='edwp-icon edwp-icon--reg js-icon ' aria-hidden='true'>\n                <use xlink:href='#chevron'><\/use>\n            <\/svg>                    <\/div>\n                <\/div>\n            <\/div>\n                                    <\/div>\n<\/section>\n","protected":false},"excerpt":{"rendered":"<p>The AWS S3 pre-sign URL functionality is pretty well documented. However, when combined with IAM role assumption, specifically with Service Roles, there are risks that present themselves that an average AWS admin might not be aware of.<\/p>\n","protected":false},"author":3,"featured_media":8856,"template":"","categories":[270],"labs_content_type":[296],"class_list":["post-7982","lab_item","type-lab_item","status-publish","has-post-thumbnail","hentry","category-identity-security"],"acf":[],"card":"<div class=\"wp-component-card-insight js-card-link wp-component-card-insight--highlighted\">\n    <div class=\"wp-component-card-insight__image-wrapper\">\n        <img width=\"1200\" height=\"800\" src=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_insights.jpg\" class=\"wp-component-card-insight__image\" alt=\"\" decoding=\"async\" loading=\"lazy\" srcset=\"https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_insights.jpg 1200w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_insights-300x200.jpg 300w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_insights-1024x683.jpg 1024w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_insights-768x512.jpg 768w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_insights-447x298.jpg 447w, https:\/\/www.withsecure.com\/wp-content\/uploads\/2026\/05\/ws_labs_insights-219x146.jpg 219w\" sizes=\"auto, (max-width: 1200px) 100vw, 1200px\" \/>                    <p class=\"wp-component-card-insight__content-type\">W\/Labs<\/p>\n            <\/div>\n    <div class=\"wp-component-card-insight__content\">\n                    <div class=\"wp-component-card-insight__meta\">\n                <div class=\"wp-component-card-insight__categories\">\n                                            <span class=\"wp-component-card-insight__category\">Identity security<\/span>\n                                    <\/div>\n            <\/div>\n                            <h3 class=\"wp-component-card-insight__title\">Pre-signed at your service<\/h3>\n                                            <p class=\"wp-component-card-insight__desc\">The AWS S3 pre-sign URL functionality is pretty well documented. However, when combined with IAM role assumption, specifically with Service Roles, there are risks that present themselves that an average AWS admin might not be aware of.<\/p>\n                            <div class=\"wp-component-card-insight__button-wrapper\">\n                <a class=\"wp-component-button btn btn--primary btn--dark wp-component-card-insight__button btn--small\" href=\"https:\/\/www.withsecure.com\/en\/resources-hub\/w-labs\/pre-signed-at-your-service\/\">Read more<\/a>            <\/div>\n            <\/div>\n<\/div>","_links":{"self":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item\/7982","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/lab_item"}],"about":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/types\/lab_item"}],"author":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media\/8856"}],"wp:attachment":[{"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/media?parent=7982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/categories?post=7982"},{"taxonomy":"labs_content_type","embeddable":true,"href":"https:\/\/www.withsecure.com\/en\/wp-json\/wp\/v2\/labs_content_type?post=7982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}