As businesses increasingly rely on the cloud to deliver content securely and efficiently, controlling access to your content becomes crucial. AWS CloudFront’s signed URLs feature is a powerful tool for granting controlled access to private content. This blog post will walk you through generating signed URLs using AWS CloudFront.
What is a Signed URL?
A signed URL provides temporary access to private content stored on AWS CloudFront. It contains an expiration date and time and other encrypted parameters that ensure only authorized users can access the content.
Steps to Generate Signed URLs from AWS CloudFront
Step 1: Set Up a CloudFront Distribution
Before generating signed URLs, you need to set up a CloudFront distribution. If you haven’t done so already, follow these steps:
- Open the CloudFront Console: Navigate to the AWS CloudFront Console.
- Create a New Distribution: Click on “Create Distribution” and choose the “Web” delivery method.
- Configure the Distribution:
- Origin Settings: Enter the S3 bucket or the HTTP server from which CloudFront will retrieve the content.
- Default Cache Behavior Settings: Configure the cache behavior according to your needs.
- Distribution Settings: Set additional options such as logging, price class, and security.
- Create the Distribution: Once configured, create the distribution and wait for it to deploy.
Step 2: Create a CloudFront Key Pair
To generate signed URLs, you need a CloudFront key pair:
- Open the IAM Console: Go to the AWS IAM Console.
- Navigate to CloudFront Key Pairs: In the left-hand navigation pane, choose “CloudFront key pairs.”
- Create a New Key Pair: Click on “Create key pair” and download the private key file. Keep this file safe, as it will be used to sign the URLs.
Step 3: Generate Signed URLs
Python Example
Here’s a Python example using the boto3 library:
import boto3
import datetime
from botocore.signers import CloudFrontSigner
# Replace with your CloudFront key pair ID and private key
key_pair_id = ‘APKAIBDGJXHZBIB3P3WQ’
private_key_path = ‘path/to/private_key.pem’
def rsa_signer(message):
with open(private_key_path, ‘rb’) as key_file:
private_key = key_file.read()
return rsa.sign(message, rsa.PrivateKey.load_pkcs1(private_key), ‘SHA-1’)
cloudfront_signer = CloudFrontSigner(key_pair_id, rsa_signer)
# URL to be signed
url = ‘https://d1234567890abcdef.cloudfront.net/path/to/your/file’
# Set expiration date
expire_date = datetime.datetime.utcnow() + datetime.timedelta(hours=1)
# Generate signed URL
signed_url = cloudfront_signer.generate_presigned_url(url, date_less_than=expire_date)
print(signed_url)
Node.js Example
Here’s a Node.js example using the aws-sdk and jsonwebtoken libraries:
const AWS = require(‘aws-sdk’);
const fs = require(‘fs’);
const crypto = require(‘crypto’);
const { CloudFront } = require(‘@aws-sdk/client-cloudfront’);
const keyPairId = ‘APKAIBDGJXHZBIB3P3WQ’;
const privateKeyPath = ‘path/to/private_key.pem’;
const privateKey = fs.readFileSync(privateKeyPath, ‘utf8’);
function getSignedUrl(url, expires) {
const policy = JSON.stringify({
Statement: [{
Resource: url,
Condition: {
DateLessThan: { ‘AWS:EpochTime’: expires }
}
}]
});
const sign = crypto.createSign(‘RSA-SHA1’);
sign.update(policy);
const signature = sign.sign(privateKey, ‘base64’);
const signedUrl = `${url}
return signedUrl;
}
const url = ‘https://d1234567890abcdef.cloudfront.net/path/to/your/file’;
const expires = Math.floor((Date.now() + 3600 * 1000) / 1000); // 1 hour from now
const signedUrl = getSignedUrl(url, expires);
console.log(signedUrl);
Step 4: Distribute the Signed URL
Once you have generated the signed URL, you can distribute it to your users. They can access the content until the URL expires.
Best Practices for Using Signed URLs
- Short Expiration Times: Use short expiration times for increased security.
- Rotate Key Pairs: Regularly rotate your CloudFront key pairs to ensure ongoing security.
- Limit Permissions: Grant minimal permissions to the private key to prevent unauthorized access.
Conclusion
Generating signed URLs from AWS CloudFront is an effective way to control access to your private content. Following the steps outlined above, you can ensure that only authorized users can access your valuable data.