francotel

Posted on Mar 8

Building a Secure Serverless Upload Pattern on AWS with Terraform 🚀

#aws #crosscloudx #devops #terraform

𝗗𝗶𝗿𝗲𝗰𝘁 𝘂𝗽𝗹𝗼𝗮𝗱𝘀. 𝗭𝗲𝗿𝗼 𝗯𝗮𝗰𝗸𝗲𝗻𝗱 𝗯𝗼𝘁𝘁𝗹𝗲𝗻𝗲𝗰𝗸𝘀. 𝗘𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲-𝗴𝗿𝗮𝗱𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆.

🧠 𝗔 𝗥𝗲𝗮𝗹-𝗪𝗼𝗿𝗹𝗱 𝗣𝗿𝗼𝗯𝗹𝗲𝗺 (𝗧𝗵𝗮𝘁 𝗜 𝗞𝗲𝗲𝗽 𝗦𝗲𝗲𝗶𝗻𝗴)

A few weeks ago, I was reviewing a system where users were uploading files (some >300MB).

The original flow looked “reasonable”:

Frontend uploads the file to the backend
Backend processes the request
Backend uploads the file to S3
Backend responds

But in practice, the system was 𝗳𝗮𝗹𝗹𝗶𝗻𝗴 𝗮𝗽𝗮𝗿𝘁:

❌ Timeouts
❌ Lambda memory spikes
❌ High AWS bills
❌ Angry users

And the root cause was always the same:

𝗧𝗵𝗲 𝗯𝗮𝗰𝗸𝗲𝗻𝗱 𝘀𝗵𝗼𝘂𝗹𝗱 𝗡𝗘𝗩𝗘𝗥 𝗵𝗮𝗻𝗱𝗹𝗲 𝗳𝗶𝗹𝗲 𝘂𝗽𝗹𝗼𝗮𝗱𝘀 𝗶𝗻 𝗮 𝘀𝗲𝗿𝘃𝗲𝗿𝗹𝗲𝘀𝘀 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲.

💡 𝗧𝗵𝗲 𝗣𝗮𝘁𝘁𝗲𝗿𝗻 𝗧𝗵𝗮𝘁 𝗙𝗶𝘅𝗲𝘀 𝗘𝘃𝗲𝗿𝘆𝘁𝗵𝗶𝗻𝗴
The solution is a 𝘄𝗲𝗹𝗹-𝗸𝗻𝗼𝘄𝗻 𝗯𝘂𝘁 𝗼𝗳𝘁𝗲𝗻 𝗺𝗶𝘀𝘂𝘀𝗲𝗱 𝗽𝗮𝘁𝘁𝗲𝗿𝗻:

👉 𝗦𝟯 𝗣𝗿𝗲𝘀𝗶𝗴𝗻𝗲𝗱 𝗨𝗥𝗟𝘀

Instead of uploading files 𝘵𝘩𝘳𝘰𝘶𝘨𝘩 your backend, you let the client upload 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 𝘁𝗼 𝗦𝟯, but in a 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝗹𝗲𝗱, 𝘁𝗲𝗺𝗽𝗼𝗿𝗮𝗿𝘆, 𝗮𝗻𝗱 𝘀𝗲𝗰𝘂𝗿𝗲 𝘄𝗮𝘆.

This is the same pattern used by:
● Fintech platforms
● Healthcare systems
● Large SaaS products

🧩 𝗛𝗼𝘄 𝘁𝗵𝗲 𝗔𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝗪𝗼𝗿𝗸𝘀
𝗛𝗶𝗴𝗵-𝗹𝗲𝘃𝗲𝗹 𝗳𝗹𝗼𝘄:

1️⃣ Client asks permission to upload a file
2️⃣ API Gateway → Lambda generates a 𝗣𝗿𝗲𝘀𝗶𝗴𝗻𝗲𝗱 𝗨𝗥𝗟
3️⃣ Client uploads 𝗱𝗶𝗿𝗲𝗰𝘁𝗹𝘆 𝘁𝗼 𝗦𝟯 using PUT
4️⃣ Backend never touches the file

🎯 Result:
● Zero bottlenecks
● Minimal Lambda execution time
● Lower cost
● Better UX

🔐 𝗪𝗵𝗮𝘁 𝗜𝘀 𝗮 𝗣𝗿𝗲𝘀𝗶𝗴𝗻𝗲𝗱 𝗨𝗥𝗟 (𝗜𝗻 𝗦𝗶𝗺𝗽𝗹𝗲 𝗧𝗲𝗿𝗺𝘀)?

Think of a presigned URL as:
🎟️ 𝗔 𝘁𝗲𝗺𝗽𝗼𝗿𝗮𝗿𝘆, 𝘀𝗶𝗻𝗴𝗹𝗲-𝗽𝘂𝗿𝗽𝗼𝘀𝗲 𝘁𝗶𝗰𝗸𝗲𝘁
● Valid only for a few minutes
● Allows only one specific action (e.g. PUT)
● Scoped to a single object
● No AWS credentials exposed

Once it expires → 𝗶𝘁’𝘀 𝘂𝘀𝗲𝗹𝗲𝘀𝘀.

⚙️ 𝗟𝗮𝗺𝗯𝗱𝗮: 𝗚𝗲𝗻𝗲𝗿𝗮𝘁𝗶𝗻𝗴 𝘁𝗵𝗲 𝗣𝗿𝗲𝘀𝗶𝗴𝗻𝗲𝗱 𝗨𝗥𝗟 (𝗡𝗼𝗱𝗲.𝗷𝘀)

import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";

const s3 = new S3Client({ region: "us-east-1" });

export const handler = async (event) => {
  const { fileName, contentType } = JSON.parse(event.body);

  const key = uploads/${Date.now()}-${fileName};

  const command = new PutObjectCommand({
    Bucket: process.env.BUCKET_NAME,
    Key: key,
    ContentType: contentType,
  });

  const uploadUrl = await getSignedUrl(s3, command, {
    expiresIn: 300, // 5 minutes
  });

  return {
    statusCode: 200,
    body: JSON.stringify({ uploadUrl, key }),
  };
};

[!WARNING]
⚠️ 𝗜𝗺𝗽𝗼𝗿𝘁𝗮𝗻𝘁:
The Lambda never sees the file, it only authorizes the upload.

🛡️ 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗟𝗮𝘆𝗲𝗿𝘀 (𝗪𝗵𝗮𝘁 𝗠𝗮𝗸𝗲𝘀 𝗧𝗵𝗶𝘀 𝗣𝗿𝗼𝗱𝘂𝗰𝘁𝗶𝗼𝗻-𝗥𝗲𝗮𝗱𝘆)

This PoC follows 𝗿𝗲𝗮𝗹 𝗲𝗻𝘁𝗲𝗿𝗽𝗿𝗶𝘀𝗲 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲𝘀, not just demos.

🔐 𝟭. 𝗦𝗵𝗼𝗿𝘁-𝗹𝗶𝘃𝗲𝗱 𝗨𝗥𝗟𝘀
● 5–10 minutes max
● Enough for upload, useless afterward

🔐 𝟮. 𝗜𝗔𝗠 𝗟𝗲𝗮𝘀𝘁 𝗣𝗿𝗶𝘃𝗶𝗹𝗲𝗴𝗲

Lambda role can 𝗼𝗻𝗹𝘆 do:

{
  "Action": "s3:PutObject",
  "Resource": "arn:aws:s3:::my-bucket/uploads/*"
}

Nothing else.

🔐 𝟯. 𝗣𝗿𝗶𝘃𝗮𝘁𝗲 𝗦𝟯 𝗕𝘂𝗰𝗸𝗲𝘁
● No public access
● No ACL tricks
● Only presigned URLs work

🔐 𝟰. 𝗦𝗮𝗻𝗶𝘁𝗶𝘇𝗲𝗱 𝗢𝗯𝗷𝗲𝗰𝘁 𝗡𝗮𝗺𝗲𝘀
● UUID-based keys
● No user-controlled paths
● No path traversal risks

🔐 𝟱. 𝗖𝗢𝗥𝗦 𝗖𝗼𝗿𝗿𝗲𝗰𝘁𝗹𝘆 𝗖𝗼𝗻𝗳𝗶𝗴𝘂𝗿𝗲𝗱

Because 𝗖𝗢𝗥𝗦 𝗶𝘀 𝗮𝗹𝘄𝗮𝘆𝘀 𝘁𝗵𝗲 𝗳𝗶𝗿𝘀𝘁 𝘁𝗵𝗶𝗻𝗴 𝘁𝗵𝗮𝘁 𝗯𝗿𝗲𝗮𝗸𝘀 😅

🧱 𝗜𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗮𝘀 𝗖𝗼𝗱𝗲 𝘄𝗶𝘁𝗵 𝗧𝗲𝗿𝗿𝗮𝗳𝗼𝗿𝗺

Everything is deployed using 𝗧𝗲𝗿𝗿𝗮𝗳𝗼𝗿𝗺, so the architecture is:
● Reproducible
● Auditable
● Ready for CI/CD

Core components:
● S3 bucket
● Lambda
● IAM roles
● API Gateway (HTTP API)

📌 𝘐𝘯 𝘵𝘩𝘦 𝘱𝘰𝘴𝘵 𝘐 𝘧𝘰𝘤𝘶𝘴 𝘰𝘯 𝘵𝘩𝘦 𝗮𝗿𝗰𝗵𝗶𝘁𝗲𝗰𝘁𝘂𝗿𝗲 𝗮𝗻𝗱 𝗽𝗮𝘁𝘁𝗲𝗿𝗻.
𝘛𝘩𝘦 𝗳𝘂𝗹𝗹 𝗧𝗲𝗿𝗿𝗮𝗳𝗼𝗿𝗺 𝗶𝗺𝗽𝗹𝗲𝗺𝗲𝗻𝘁𝗮𝘁𝗶𝗼𝗻 𝘭𝘪𝘷𝘦𝘴 𝘪𝘯 𝘵𝘩𝘦 𝘳𝘦𝘱𝘰𝘴𝘪𝘵𝘰𝘳𝘺.

📂 𝗥𝗲𝗽𝗼𝘀𝗶𝘁𝗼𝗿𝘆 𝗦𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 (𝗦𝗶𝗺𝗽𝗹𝗲 𝗯𝘆 𝗗𝗲𝘀𝗶𝗴𝗻)

aws-s3-presigned-url-lambda-terraform/
├── 01-s3.tf
├── 02-lambda.tf
├── 04-api.tf
├── client/
│   ├── index.html
│   ├── index.html.tpl
│   ├── logo-client.png
│   └── logo-s3.png
├── dev.tfvars
├── drawio/
│   ├── aws-s3-presignend.gif
│   ├── aws-s3-url.drawio
│   ├── image-2.png
│   └── image.png
├── lambda-function.zip
├── main.tf
├── Makefile
├── provider.tf
├── README.md
├── security/
│   ├── checkov.yaml
│   └── trivy.yaml
├── src/
│   ├── index.mjs
│   ├── node_modules/
│   ├── package-lock.json
│   └── package.json
├── terraform.tfstate
├── terraform.tfstate.backup
├── tfplan
├── tfplan.json
├── variables.tf
└── versions.tf

🎯 Minimal, readable, and focused on the pattern.

🧪 𝗥𝗲𝗾𝘂𝗶𝗿𝗲𝗺𝗲𝗻𝘁𝘀 𝘁𝗼 𝗥𝘂𝗻 𝘁𝗵𝗲 𝗣𝗼𝗖

This PoC assumes:

✅ macOS
✅ Terraform already installed
✅ AWS CLI already authenticated

No extra setup. No magic.

🚀 𝗪𝗮𝗻𝘁 𝘁𝗵𝗲 𝗙𝘂𝗹𝗹 𝗪𝗼𝗿𝗸𝗶𝗻𝗴 𝗣𝗼𝗖?

I published the complete implementation here:

👉 𝗵𝘁𝘁𝗽𝘀://𝗴𝗶𝘁𝗵𝘂𝗯.𝗰𝗼𝗺/𝗳𝗿𝗮𝗻𝗰𝗼𝘁𝗲𝗹/𝗮𝘄𝘀-𝘀𝟯-𝗽𝗿𝗲𝘀𝗶𝗴𝗻𝗲𝗱-𝘂𝗿𝗹-𝗹𝗮𝗺𝗯𝗱𝗮-𝘁𝗲𝗿𝗿𝗮𝗳𝗼𝗿𝗺 (𝗵𝘁𝘁𝗽𝘀://𝗴𝗶𝘁𝗵𝘂𝗯.𝗰𝗼𝗺/𝗳𝗿𝗮𝗻𝗰𝗼𝘁𝗲𝗹/𝗮𝘄𝘀-𝘀𝟯-𝗽𝗿𝗲𝘀𝗶𝗴𝗻𝗲𝗱-𝘂𝗿𝗹-𝗹𝗮𝗺𝗯𝗱𝗮-𝘁𝗲𝗿𝗿𝗮𝗳𝗼𝗿𝗺)

You’ll find:
● Full Terraform code
● Lambda (Node.js 20)
● Test scripts
● Architecture diagram

Clone it, deploy it, break it, improve it.

🎯 𝗙𝗶𝗻𝗮𝗹 𝗧𝗵𝗼𝘂𝗴𝗵𝘁

If your backend is still handling file uploads, you’re paying more 𝗮𝗻𝗱 scaling less.

This pattern:
● Reduces cost
● Improves reliability
● Scales naturally
● Matches real-world cloud architectures

Inspiration and References

This project was inspired by the AWS blog post:

Securing Amazon S3 presigned URLs for serverless applications https://aws.amazon.com/blogs/compute/securing-amazon-s3-presigned-urls-for-serverless-applications/

The article explores several best practices for securing presigned
URLs in serverless architectures, including checksum validation,
expiration strategies, and least-privilege IAM policies.