AWS S3 · API Gateway · Lambda

Secure Document Intake Using Presigned S3 URL

This static frontend is wired to a live API that requests a presigned S3 upload URL from Lambda, then uploads the selected file directly from the browser to a private S3 bucket with short-lived access.

Security controls

Access

Temporary upload authorization

The browser requests a short-lived presigned URL from API Gateway and Lambda, then uploads directly to S3 without broad account access.

Protection

Encryption and restricted storage

Objects land in a private S3 bucket with server-side encryption, controlled prefixes, and a clear separation between public UI and private data handling.

Traceability

Audit and post-upload actions

The returned object key can feed later workflows such as validation, metadata recording, tagging, malware scanning, or review routing.

Live demo surface

This form calls your live API endpoint, receives a presigned S3 upload URL, and uploads the selected file directly from the browser. The API endpoint is /Demo/create-presigned-s3-url.

The browser first requests a presigned URL from API Gateway, then uses that short-lived URL to upload the file directly to S3.

Architecture