1. Answers
  2. Secure AWS CloudFront Content Delivery with Signed URLs

How do I implement signed URLs or signed cookies for content protection on AWS CloudFront?

In this guide, we will implement signed URLs or signed cookies to secure content delivery using AWS CloudFront. This ensures that only authorized users can access the content by generating signed URLs or cookies that grant temporary access.

Key Points

  • We will create a CloudFront distribution.
  • We will generate a CloudFront key pair.
  • We will configure the distribution to use signed URLs or cookies.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

// Create an S3 bucket to serve as the origin
const bucket = new aws.s3.Bucket("contentBucket");

// Create a CloudFront key group
const publicKey = new aws.cloudfront.PublicKey("publicKey", {
    encodedKey: "<YOUR_PUBLIC_KEY>",
    name: "publicKey",
});

const keyGroup = new aws.cloudfront.KeyGroup("keyGroup", {
    items: [publicKey.id],
    name: "keyGroup",
});

// Create a CloudFront distribution
const distribution = new aws.cloudfront.Distribution("distribution", {
    origins: [{
        domainName: bucket.bucketRegionalDomainName,
        originId: bucket.id,
        s3OriginConfig: {
            originAccessIdentity: "origin-access-identity/cloudfront/E127EXAMPLE51Z",
        },
    }],
    enabled: true,
    defaultRootObject: "index.html",
    defaultCacheBehavior: {
        targetOriginId: bucket.id,
        viewerProtocolPolicy: "redirect-to-https",
        allowedMethods: ["GET", "HEAD"],
        cachedMethods: ["GET", "HEAD"],
        forwardedValues: {
            cookies: { forward: "none" },
            queryString: false,
        },
        minTtl: 0,
        defaultTtl: 3600,
        maxTtl: 86400,
        trustedKeyGroups: [keyGroup.id],
    },
    restrictions: {
        geoRestriction: {
            restrictionType: "none",
        },
    },
    viewerCertificate: {
        cloudfrontDefaultCertificate: true,
    },
});

// Export the distribution domain name
export const cdnDomainName = distribution.domainName;

Summary

In this guide, we created an S3 bucket to serve as the origin for our CloudFront distribution. We then created a CloudFront public key and key group to manage the keys used for signing URLs or cookies. Finally, we configured a CloudFront distribution to use the key group for securing access to the content using signed URLs or cookies. This setup ensures that only authorized users with valid signed URLs or cookies can access the content delivered by CloudFront.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up