If you are not familiar, signed URLs are a way to grant limited access to a file served up from S3 or CloudFront for a specific amount of time.

You can do the same thing with a signed cookie as well, but it can be a bit trickier.

If you are using a Multi-Tenant Architecture where each tenant gets their own bucket, or at minimum each tenant has their own root path in the bucket, then creating cookies that give access to all the binary assets in that tenant should be easy.

The exact implementation will vary based on your use case but for now, I just want you to know that signed cookies exist.

Question for you: How are you securing your data?