Secure Access to Amazon CloudFront Content Using Pre-Signed URLs

Overview

Amazon CloudFront provides a way to restrict access to static content using pre-signed URLs. This implementation ensures that only authorized users can access the content by requiring a signed URL generated with a private key.

This document details the step-by-step process of setting up pre-signed URLs for secure access to CloudFront content.

Prerequisites

  • AWS Account with necessary IAM permissions
  • OpenSSL installed on your local machine
  • AWS CLI installed and configured
  • AWS SDK installed in your application

Step 1: Generate Public and Private Key Pair

CloudFront requires a public-private key pair for signing URLs.

💡 Commands

Open a terminal and run the following OpenSSL command to generate a 2048-bit RSA key pair:

openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem

Step 2: Upload the Public Key to CloudFront

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudFront.
  3. In the left pane, select Public Keys under Key Management.
  4. Click Create public key.
  5. Paste the copied content into the Public Key field.
  6. Click Create.

Step 3: Create a Key Group in CloudFront

  1. In the AWS CloudFront console, navigate to Key Groups.
  2. Click Create key group.
  3. Under Public Keys, select the previously created public key (e.g., CloudFrontKey).
  4. Click Create key group.

Step 4: Modify CloudFront Distribution to Restrict Viewer Access

  1. Go to the CloudFront Distributions section.
  2. Select the desired CloudFront distribution.
  3. Click the Behaviors tab and select the behavior associated with the static content.
  4. In Restrict Viewer Access, choose Yes.
  5. Under Trusted Key Groups, select the created key group (e.g., TrustedUsersKeyGroup).
  6. Click Save Changes.

Step 5: Install AWS SDK for Application Integration

The AWS SDK will be used to generate signed URLs in the application.

Conclusion

You have successfully implemented pre-signed URLs for secure access to static content in AWS CloudFront. This ensures that only users with a valid signed URL can access the content while preventing unauthorized access.

Additional Security Considerations

  • Store the private key securely using AWS Secrets Manager or another secure storage.
  • Rotate the private key periodically for enhanced security.