Securing S3 Content With CloudFront — Signed URL

  • Everytime the user requests a private file, we need to generate a signed URL. Our application should confirm that the user is authorized to access the file by giving AWS CloudFront the needed permissions and confirming using the signature and key-pair.
  • The user can download or stream the content via a signed URL when the request has been approved. When a user accesses the URL in their browser, CloudFront utilizes the public key to verify the signature and ensure that the URL hasn’t been tampered with. The request is denied if the signature is illegitimate.
  • If the signature is valid, CloudFront examines the policy declaration in the URL with the given end-date and time. If the request complies with the conditions outlined in the policy statement, CloudFront performs the usual tasks, i.e. checking to see if the requested file is already in the edge cache, sending the request to the origin server if necessary, and returning the file to the user.
  • The expiration time is included in the signed URL, making it tamper-resistant, but if it is changed after signing, the signing will be rendered useless and ineffective.
  • Go to key management.
  • Navigate to the public key.
  • Add public key:
    Key name: Type a name to identify public key.
    Key value: Copy the content of the public key you have generated in step 2 and paste it here.
    After the above steps are done. Choose Add.
    Record the public key id in the .env file.
  • Go to key management.
  • Navigate to Key groups.
  • On create key group, create a key group and add the public key created in step 3.
  • Choose the CloudFront distribution of the S3 bucket that you want to protect using a signed URL.
  • Navigate to the Behaviors tab.
  • Click Create behavior.
  • If we want to give a specific path, mention that path in pattern field or else mention “ * “.
  • Choose the S3 Origin.
  • Choose yes for Restrict Viewer Access.
  • Choose the Trusted key group and select the key group that is created in step 4.
  • Choose Simple CORS in response headers policy and create behavior.
  • Press Create behavior to create this behavior.

About KBX Digital



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store