Guide: Serving PDFs to users from Amazon S3
Learn how to share PDFs that have been uploaded to S3 with your users.
Once your PDFs are generated and uploaded to S3, there are a number of ways you can provide them to your customers. We're going to walk through two common methods used to deliver files to users from S3. We’ll also take a look at how you can serve files from a custom domain name and how to implement a content distribution network (CDN) to speed up downloads. Finally, this guide looks at some security considerations when providing files to users from S3.
If you’d like your users to be able to download PDFs directly from your S3 bucket, you can make the bucket publicly accessible.
First, check the "Public Access Settings" for your bucket. The following two options must be set to False:
- "Block new public bucket policies"
- "Block public and cross-account access if bucket has public policies"
Bucket with correct public access settings
Next, you’ll need to modify the bucket policy that was created when you created the bucket.
Go to "Bucket Policy" under "Permissions", and add the following bucket policy:
Remember to change
myapp-bucket-nameto the name of the bucket you're using.
Once you’ve updated the policy, all files in the bucket will be accessible to the outside world.
To construct the URL to download a PDF, you’ll need to use the following format:
For example, if your region is
us-west-2and your bucket name is
myapp-bucket-name, then a URL might look like:
Using this method, your users can download a file using the link as many times as they like whilst the file still exists on S3. If this isn’t desirable for your app, you may prefer to generate pre-signed URLs instead. Generating pre-signed URLs is described below.
You may want to prevent downloads from occurring over unencrypted connections, particularly if your PDFs contain any sensitive data. This can be done by adding the following additional statement to your bucket policy:
By generating pre-signed URLs you can control access to your PDFs more closely. The URL will automatically expire after a period of time you specify.
Here’s an example of using the AWS SDK for Ruby to generate pre-signed URLs that expire after one hour (3600 seconds):
s3 = Aws::S3::Resource.new
bucket = s3.bucket("myapp-bucket-name")
object = bucket.object("10c67218-e605-4f3f-be0d-973ebaef4c85.pdf")
url = object.presigned_url(:get, expires_in: 3600)
Using the AWS web console, navigate to the Cloudfront service and create a new web distribution. Set the origin domain name to your S3 bucket (it should appear in the auto-complete list).
To enforce the use of HTTPS you may want to set “Viewer Protocol Policy” to “Redirect HTTP to HTTPS”. All other default settings can be left unchanged.
Once the distribution has been created (this usually takes a few minutes) you’ll be able to download PDFs over Cloudfront by constructing a URL using your Cloudfront distribution domain name:
If you’ve set up Cloudfront, it’s relatively straightforward to use your own custom domain name instead of the default cloudfront.net domain. To do this you should have prior experience managing DNS records and provisioning SSL certificates.
- Use the AWS certificate manager to request an SSL certificate for your custom domain.
- Validate the domain by adding a DNS record as instructed by the AWS certificate manager.
- Add a CNAME DNS record pointing to your Cloudfront distribution domain name.
- Once the SSL certificate has been validated, edit the Cloudfront distribution settings to add the new alternate domain name using the certificate.