Implemented authenticated demo
Secure Asset Dead Drop
A gated file exchange demo for sharing small artifacts without making S3 objects public or exposing long-lived download links.
ID
Authenticated reviewer
Identity
ID
Cognito hosted login
Identity
API
API Gateway authorizer
API Gateway
L
Lambda broker
Lambda
DDB
DynamoDB provisioned table
DynamoDB
S3
S3 private bucket + lifecycle cleanup
S3
Problem
Email attachments and public object links are a poor fit for sensitive files. The demo goal is to let an authorized reviewer upload a small file, prove the bucket remains private, and leave a clear audit trail without exposing long-lived object access.
Design
- Cognito Hosted UI handles reviewer sign-in and email verification.
- A pre-sign-up trigger allows only the owner account and approved reviewer email domains.
- API Gateway validates the JWT before any backend code runs.
- Lambda re-checks the email claim, enforces per-user quotas, and creates presigned S3 POST or GET links.
- S3 blocks public access, uses SSE-S3 encryption, and expires temporary demo objects after two days.
- DynamoDB records upload requests and quota counters with TTL cleanup.
Cost and abuse controls
Reviewer accounts are limited to three Dead Drop actions per day, files are capped at 2 MB, API Gateway throttles the shared backend, and S3 lifecycle rules clean up temporary objects automatically. The owner account is exempt so I can test and demo without burning reviewer quota.