How to download secure file from S3 using url without expiration window?

I have a Django application that needs to access files in my AWS S3 . We are currently doing this successfully using django-storages where the file can be downloaded using the method url

(code here ).

The gist of this method is the method generate_url()

boto provides:

return self.connection.generate_url(self.querystring_expire,
        method='GET', bucket=self.bucket.name, key=self._encode_name(name),
        headers=headers,
        query_auth=self.querystring_auth, force_http=not self.secure_urls,
        response_headers=response_headers)

      

        
        
        
      

    

However, this method returns a URL with a signature and an expiration date that opens the file in the world for 60 minutes (or a specific amount of time, I think 60 minutes by default).

For example: running generate_url()

on a file located at s3://my-bucket/myfile.txt

will return the url:

https://s3.amazonaws.com/my-bucket/myfile.txt?
  X-Amz-Date=20150710T161246Z
  &X-Amz-Expires=300
  &X-Amz-Algorithm=AWS4-HMAC-SHA256
  &X-Amz-Signature=<SIGNATURE>
  &X-Amz-Credential=<CREDENTIAL>
  &X-Amz-SignedHeaders=Host
  &x-amz-security-token=<SECURITY_TOKEN>

      

        
        
        
      

    

Which, when clicked, downloads the file as expected. The problem is that after the file has been "opened" by accessing that url, then the "unsigned" url ( https://s3.amazonaws.com/my-bucket/myfile.txt

) is also opened for 60 minutes - without the need for a signature and other query string parameters.

Is there a way to require a signature every time a file is accessed? It looks like it should be. Even if I change the expiration to 1 second, the unsigned url is open to the world in 1 second.

I work with confidential information and have to be satisfied with some security standards, etc., so having my file for the world for at least a second is no-no.

Does anyone know how to generate an AWS S3 URL for a file that requires a signature on every upload?

I've also looked into using proxies, but they seem to do the same thing, only explicitly hiding the url from the end user. An example is here and here . But the file will still be available (unsigned) to the world (if someone or a bot was able to guess the S3 url. I probably know, but still not allowed).

Ideally, I would like to find a Python / Django package that handles file access in a 100% safe path that can be submitted via a URL.