AWS presigned URLs have become a popular way to provide secure and sane access to S3 buckets and other resources. But the security of presigned URLs greatly relies on the implementation and integrations made with individual systems, and simple mistakes can result in unwittingly signing sensitive data away to an attacker. As S3 buckets continue to be an abundant source of low hanging fruit for threat actors, we discover that presigned URLs might not be the silver bullet that S3 security needs.

In this talk, I will cover the cardinal sins that can be committed when implementing presigned access to S3 buckets, the resulting attacks that can arise from these mistakes, and how developers can best avoid them.