Skip to main content

S3 Overview

Components

S3 sits behind Cloudfront.

S3 is set to be private, and the only "thing" that can access it is Cloudfront.

Think of Cloudfront as a security guard and S3 a special club house.

Cloudfront (security guard) will check if any guests (request to file) entering has a membership card (permissions).

  • Only our Cloudfront in the entire world has access to our S3.

Data Processes

There are 3 main processes with S3:

  • Uploading a file to S3
  • Downloading a private file from S3 (i.e. bucket-name/domains)
  • Accessing a public file from S3 (i.e. bucket-name/public folder)

Here's an overview of accessing a public or private file.

Upload File

Examples

  • Careers User uploading their:
    • CV file to our system
    • Careers::UserCertificate file
  • Org User uploading their business registration
  • Marketing uploading a picture for a landing page to bucket-name/public through a CMS that we will eventually build

Download Private File

Examples

  • Careers User downloading their CV file from our system
  • Org User viewing a Careers::UserCertificate file

Access Public File

Examples

  • homepage accessing jod logo
  • employers landing page accessing pictures uploaded by marketing

Presigned Urls

There are two types of Presigned Urls that Rails will work with:

  • S3 Presigned Url
  • Cloudfront Presigned Urls

S3 Presigned Url

This is a URL signed by your backend using AWS credentials.

  • Grants temporary, direct access to a specific object in the S3 bucket itself.
  • When a user clicks this link, they completely bypass CloudFront.
  • Great for uploads, as you're doing, because you want the client to send the file directly to S3's powerful upload infrastructure.

CloudFront Signed URL

This is also a URL signed by your backend, but it grants temporary access to a file through the CloudFront distribution.

  • User's request hits a CloudFront edge location first.
  • CloudFront validates the signature and,
  • If valid, fetches the object from your private S3 bucket on the user's behalf.

For downloading private files, you should always use CloudFront Signed URLs. Why?

Performance

  • You get all the benefits of the CDN (Content Delivery Network).
  • The file is cached at an edge location closer to your user in Indonesia or the Philippines, resulting in much faster downloads.

Security & Control

  • You have a single point of entry for all traffic—CloudFront.
  • You can apply a Web Application Firewall (WAF), enforce TLS versions, and view centralized logs.
  • Bypassing CloudFront for downloads negates these benefits.

Consistency

  • Your bucket policy is designed to only allow access from CloudFront.
  • An S3 presigned URL to access/download a file would fail because the user's browser is not CloudFront.