URL signing is a way to provide controlled access to protected content. The backend contains custom code that decides whether a user can download a file and if the decision is positive then it signs a URL using a secret that only it knows, then returns the URL to the user. Then for the download the backend is not involved anymore: S3 checks the signature and then transfers the file to the client.

When working with DynamoDB I found that one of the main challenges is how to maintain consistency when multiple processes are accessing the database. I wrote about different scenarios such as keeping accurate counts, implementing foreign keys, and enforcing state in referenced items. All of these are taking advantage of DynamoDB’s transaction feature with conditional checks.

Generally, it’s a bad idea to use IAM users in cases when roles are also an option. This is because roles provide a secret-less way for systems to gain permissions to AWS resources, while a user’s Secret Access Key is a sensitive information that must be protected.

Sometimes I need to make a small static file available via a web URL. For example, to communicate pieces of information about the environment to clients, such as the Cognito login URL they need to use, I make a /config.mjs or similar with that information. The client then knows where to find this information and can fetch it when it needs to.