Serving Private Content through CloudFront
Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content using CloudFront, you can do the following:
Require that your users access your private content by using special CloudFront signed URLs or signed cookies.
Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs. Requiring CloudFront URLs isn't required, but we recommend it to prevent users from bypassing the restrictions that you specify in signed URLs or signed cookies.
- Overview of Private Content
- Using an HTTP Server for Private Content
- Task List: Serving Private Content
- Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content
- Specifying the AWS Accounts That Can Create Signed URLs and Signed Cookies (Trusted Signers)
- Choosing Between Signed URLs and Signed Cookies
- Using Signed URLs
- Using Signed Cookies
- Using a Linux Command and OpenSSL for Base64-Encoding and Encryption
- Code Examples for Creating a Signature for a Signed URL
Overview of Private Content
You can control end-user access to your private content in two ways:
You can restrict access to objects in CloudFront edge caches – You can configure CloudFront to
require that users access your objects using either signed URLs or
signed cookies. You then develop your application either to create and
distribute signed URLs to authenticated users or to send
When you create signed URLs or signed cookies to control access to your objects, you can specify the following restrictions:
One part of a signed URL or a signed cookie is hashed and signed using the private key from a public/private key pair. When someone uses a signed URL or signed cookie to access an object, CloudFront compares the signed and unsigned portions of the URL or cookie. If they don't match, CloudFront doesn't serve the object.
You can restrict access to objects in your Amazon S3 bucket – You can optionally secure the content in your Amazon S3 bucket so users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it.
To require that users access your content through CloudFront URLs, you perform the following tasks:
Using an HTTP Server for Private Content
You can use signed URLs or signed cookies for any CloudFront distribution, regardless of whether the origin is an Amazon S3 bucket or an HTTP server. However, for CloudFront to get your objects from an HTTP server, the objects must remain publicly accessible. When the objects are publicly accessible, anyone who has the URL for an object on your HTTP server can access the object without logging in or paying for your content. If you use signed URLs or signed cookies and your origin is an HTTP server, do not give the URLs for the objects on your HTTP server to your customers or to others outside your organization.