Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content using CloudFront, you can:
Require that your users use special CloudFront signed URLs to access your content, not the standard CloudFront public URLs.
Optional but recommended: Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.
You can control end-user access to your private content in two ways:
You can restrict access to objects in CloudFront edge caches: You can configure CloudFront to require that users access your objects using special signed URLs. You then create the signed URLs (either manually or programmatically) and distribute them to your users.
When you create signed URLs for your objects, you can specify:
One part of a signed URL is hashed and signed using the private key from a public/private key pair. When someone uses a signed URL to access an object, CloudFront compares the signed and unsigned portions of the URL. If they don't match, CloudFront doesn't serve the object.
You can restrict access to objects in your Amazon S3 bucket: You can secure the content in your Amazon S3 bucket so users can access it using CloudFront URLs but cannot access it using Amazon S3 URLs. This prevents anyone from bypassing CloudFront and using the Amazon S3 URL to access the content to which you're trying to restrict access. This step isn't required to use signed URLs, but we recommend it.
To require that users use CloudFront URLs, you:
You can use signed URLs for any CloudFront distribution, regardless of whether the origin is an Amazon S3 bucket or an HTTP server. However, for CloudFront to access your objects on an HTTP server, the objects must remain publicly accessible. Because the objects are publicly accessible, anyone who has the URL for an object on your HTTP server can access the object without the protection provided by CloudFront signed URLs. If you use signed URLs and your origin is an HTTP server, do not give the URLs for the objects on your HTTP server to your customers or to others outside your organization.