Amazon CloudFront
Developer Guide (API Version 2016-09-29)

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Overview of Serving Private Content

You can control user access to your private content in two ways, as shown in the following illustration:

  1. Restrict access to files in CloudFront edge caches

  2. Restrict access to files in your origin by doing one of the following:

    • Set up an origin access identity (OAI) for your Amazon S3 bucket (unless you've configured it as a website endpoint)

    • Configure custom headers for a private HTTP server or an Amazon S3 bucket configured as a website endpoint


				The two ways to restrict file access in CloudFront

Restricting Access to Files in CloudFront Edge Caches

You can configure CloudFront to require that users access your files using either signed URLs or signed cookies. You then develop your application either to create and distribute signed URLs to authenticated users or to send Set-Cookie headers that set signed cookies on the viewers for authenticated users. (To give a few users long-term access to a limited number of files, you can also create signed URLs manually.)

When you create signed URLs or signed cookies to control access to your files, you can specify the following restrictions:

  • An ending date and time, after which the URL is no longer valid.

  • (Optional) The date and time that the URL becomes valid.

  • (Optional) The IP address or range of addresses of the computers that can be used to access your content.

One part of a signed URL or a signed cookie is hashed and signed using the private key from a public/private key pair. When someone uses a signed URL or signed cookie to access a file, CloudFront compares the signed and unsigned portions of the URL or cookie. If they don't match, CloudFront doesn't serve the file.

You must use RSA-SHA1 for signing URLs or cookies. CloudFront doesn't accept other algorithms.

Restricting Access to Files in Amazon S3 Buckets

You can optionally secure the content in your Amazon S3 bucket so that users can access it through CloudFront but cannot access it directly by using Amazon S3 URLs. This prevents someone from bypassing CloudFront and using the Amazon S3 URL to get content that you want to restrict access to. This step isn't required to use signed URLs, but we recommend it. Be aware that this option is only available if you have not set up your Amazon S3 bucket as a website endpoint.

To require that users access your content through CloudFront URLs, you do the following tasks:

  • Create a special CloudFront user called an origin access identity.

  • Give the origin access identity permission to read the files in your bucket.

  • Remove permission for anyone else to use Amazon S3 URLs to read the files.

For more information, see Restricting Access to Amazon S3 Content by Using an Origin Access Identity.

Restricting Access to Files on Custom Origins

If you use a custom origin, you can optionally set up custom headers to restrict access. For CloudFront to get your files from a custom origin, the files must be publicly accessible. But by using custom headers, you can restrict access to your content so that users can access it only through CloudFront, not directly. This step isn't required to use signed URLs, but we recommend it.

To require that users access content through CloudFront, change the following settings in your CloudFront distributions:

Origin Custom Headers

Configure CloudFront to forward custom headers to your origin. See Configuring CloudFront to Forward Custom Headers to Your Origin.

Viewer Protocol Policy

Configure your distribution to require viewers to use HTTPS to access CloudFront. See Viewer Protocol Policy.

Origin Protocol Policy

Configure your distribution to require CloudFront to use the same protocol as viewers to forward requests to the origin. See Origin Protocol Policy.

After you've made these changes, update your application on your custom origin to only accept requests that include these headers.

The combination of Viewer Protocol Policy and Origin Protocol Policy ensure that your custom headers are encrypted between the viewer and your origin. However, we recommend that you periodically do the following to rotate the custom headers that CloudFront forwards to your origin:

  1. Update your CloudFront distribution to begin forwarding a new header to your custom origin.

  2. Update your application to accept the new header as confirmation that the request is coming from CloudFront.

  3. When viewer requests no longer include the header that you're replacing, update your application to no longer accept the old header as confirmation that the request is coming from CloudFront.