Send S3 Download Links Safely (Expiring URLs, CloudFront, and No Range Abuse)

Two good patterns (pick one)

1. Simple & fast: S3 presigned URL with a short expiry (minutes to a few hours). Best for one recipient and small files.
2. Hardened: CloudFront signed URLs/cookies in front of S3 + optional AWS WAF rules (block Range header, IP/geo allowlists, rate limits). Best for repeated sharing at scale.

Safer link generation

• Short expiry and unique link per recipient (X-Amz-Expires for S3 presigned URLs).
• Force download name with response header (response-content-disposition=attachment; filename="file.pdf").
• Server-side encryption (SSE-KMS) for the object; restrict who can generate links.

Stop partial-download abuse

• Behind CloudFront, use AWS WAF to block requests containing a Range header and to throttle repetitive hits.
• Add optional IP/geo allowlists and short cache TTLs for sensitive assets.

Delivery hygiene

• Split channel: share the link via one message and the access code (if you use one) by SMS/phone. Basics: The Safe Way to Share Passwords.
• Disable link previews to avoid auto-fetch by chat apps: Prevent Accidental Link Previews.
• For very sensitive content, consider encrypting an archive (7z/ZIP-AES) before upload: Send Encrypted Archives Safely.

Logs, rotation, and revocation

• Log access (CloudFront logs/S3 server access logs) and alert on spikes.
• Revoke early by reducing expiry or invalidating CloudFront cache for that URL.
• Rotate keys/roles that can create presigned URLs. Guide: Rotate Shared Credentials on a Schedule.

Related reading

Secure SFTP-to-S3 Bridge for Client File Drops · Secure SFTP/FTP Handoffs for Clients · Share Sensitive Photos & Documents Safely

Bottom line

Short-lived links + optional CloudFront/WAF guardrails + clean delivery habits = private, reliable downloads without “mystery bandwidth.”