How to Generate Signed URLs from AWS CloudFront

As businesses increasingly rely on the cloud to deliver content securely and efficiently, controlling access to your content becomes crucial. AWS CloudFront’s signed URLs feature is a powerful tool for granting controlled access to private content. This blog post will walk you through generating signed URLs using AWS CloudFront.

What is a Signed URL?

A signed URL provides temporary access to private content stored on AWS CloudFront. It contains an expiration date and time and other encrypted parameters that ensure only authorized users can access the content.

Steps to Generate Signed URLs from AWS CloudFront

Step 1: Set Up a CloudFront Distribution

Before generating signed URLs, you need to set up a CloudFront distribution. If you haven’t done so already, follow these steps:

1. Open the CloudFront Console: Navigate to the AWS CloudFront Console.
2. Create a New Distribution: Click on “Create Distribution” and choose the “Web” delivery method.
3. Configure the Distribution:
   • Origin Settings: Enter the S3 bucket or the HTTP server from which CloudFront will retrieve the content.
   • Default Cache Behavior Settings: Configure the cache behavior according to your needs.
   • Distribution Settings: Set additional options such as logging, price class, and security.
4. Create the Distribution: Once configured, create the distribution and wait for it to deploy.

Step 2: Create a CloudFront Key Pair

To generate signed URLs, you need a CloudFront key pair:

1. Open the IAM Console: Go to the AWS IAM Console.
2. Navigate to CloudFront Key Pairs: In the left-hand navigation pane, choose “CloudFront key pairs.”
3. Create a New Key Pair: Click on “Create key pair” and download the private key file. Keep this file safe, as it will be used to sign the URLs.

Step 3: Generate Signed URLs

Python Example

Here’s a Python example using the boto3 library:

import boto3

import datetime

from botocore.signers import CloudFrontSigner

# Replace with your CloudFront key pair ID and private key

key_pair_id = ‘APKAIBDGJXHZBIB3P3WQ’

private_key_path = ‘path/to/private_key.pem’

def rsa_signer(message):

    with open(private_key_path, ‘rb’) as key_file:

        private_key = key_file.read()

    return rsa.sign(message, rsa.PrivateKey.load_pkcs1(private_key), ‘SHA-1’)

cloudfront_signer = CloudFrontSigner(key_pair_id, rsa_signer)

# URL to be signed

url = ‘https://d1234567890abcdef.cloudfront.net/path/to/your/file’

# Set expiration date

expire_date = datetime.datetime.utcnow() + datetime.timedelta(hours=1)

# Generate signed URL

signed_url = cloudfront_signer.generate_presigned_url(url, date_less_than=expire_date)

print(signed_url)

Node.js Example

Here’s a Node.js example using the aws-sdk and jsonwebtoken libraries:

const AWS = require(‘aws-sdk’);

const fs = require(‘fs’);

const crypto = require(‘crypto’);

const { CloudFront } = require(‘@aws-sdk/client-cloudfront’);

const keyPairId = ‘APKAIBDGJXHZBIB3P3WQ’;

const privateKeyPath = ‘path/to/private_key.pem’;

const privateKey = fs.readFileSync(privateKeyPath, ‘utf8’);

function getSignedUrl(url, expires) {

  const policy = JSON.stringify({

    Statement: [{

      Resource: url,

      Condition: {

        DateLessThan: { ‘AWS:EpochTime’: expires }

      }

    }]

  });

  const sign = crypto.createSign(‘RSA-SHA1’);

  sign.update(policy);

  const signature = sign.sign(privateKey, ‘base64’);

  const signedUrl = `${url}

  return signedUrl;

}

const url = ‘https://d1234567890abcdef.cloudfront.net/path/to/your/file’;

const expires = Math.floor((Date.now() + 3600 * 1000) / 1000); // 1 hour from now

const signedUrl = getSignedUrl(url, expires);

console.log(signedUrl);

Step 4: Distribute the Signed URL

Once you have generated the signed URL, you can distribute it to your users. They can access the content until the URL expires.

Best Practices for Using Signed URLs

• Short Expiration Times: Use short expiration times for increased security.
• Rotate Key Pairs: Regularly rotate your CloudFront key pairs to ensure ongoing security.
• Limit Permissions: Grant minimal permissions to the private key to prevent unauthorized access.

Conclusion

Generating signed URLs from AWS CloudFront is an effective way to control access to your private content. Following the steps outlined above, you can ensure that only authorized users can access your valuable data.