Amazon CloudFront
Developer Guide (API Version 2014-11-06)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Serving Private Content through CloudFront

Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content using CloudFront, you can:

  • Require that your users use special CloudFront signed URLs to access your content, not the standard CloudFront public URLs.

  • Optional but recommended: Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.

Overview of Private Content

You can control end-user access to your private content in two ways:

You can restrict access to objects in CloudFront edge caches: You can configure CloudFront to require that users access your objects using special signed URLs. You then create the signed URLs (either manually or programmatically) and distribute them to your users.

When you create signed URLs for your objects, you can specify:

  • An ending date and time, after which the URL is no longer valid.

  • (Optional) The date and time that the URL becomes valid.

  • (Optional) The IP address or range of addresses of the computers that can be used to access your content.

One part of a signed URL is hashed and signed using the private key from a public/private key pair. When someone uses a signed URL to access an object, CloudFront compares the signed and unsigned portions of the URL. If they don't match, CloudFront doesn't serve the object.

You can restrict access to objects in your Amazon S3 bucket: You can secure the content in your Amazon S3 bucket so users can access it using CloudFront URLs but cannot access it using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to access the content to which you're trying to restrict access. This step isn't required to use signed URLs, but we recommend it.

To require that users use CloudFront URLs, you:

  • Create a special CloudFront user called an origin access identity.

  • Give the origin access identity permission to read the objects in your bucket.

  • Remove permission for anyone else to read the objects.

Basic flow for access logs

Using an HTTP Server for Private Content

You can use signed URLs for any CloudFront distribution, regardless of whether the origin is an Amazon S3 bucket or an HTTP server. However, for CloudFront to access your objects on an HTTP server, the objects must remain publicly accessible. Because the objects are publicly accessible, anyone who has the URL for an object on your HTTP server can access the object without the protection provided by CloudFront signed URLs. If you use signed URLs and your origin is an HTTP server, do not give the URLs for the objects on your HTTP server to your customers or to others outside your organization.