I have got Application Security Assessment Report from a client, and they said our S3 document Access process is not secure.
We are using AWS presigned url which is only add expiration time in a url(also exposed Aws Access Key).
Suppose I have login in an Application create a url valid for 5 mins. I have logout from application, But the url is still present in history and anyone who find the url can download before expiry time.
Here user logout but the document is still valid if not expired. I Hope we also got this kind of observation from other client.
So in DMS S3 access policy, we need the same concept like Service Scope. (User Session, Device Session, without session.) So that we can restrict who can access the document.