Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

No Trusted Signers for Multi-Tenant Distributions?

0

Can someone explain to me why the new multi-tenant distributions don't support Trusted Signers? This would be perfect solution for our application, but the lack of Trusted Signers support, to lock down access to content, is a complete deal breaker for us.

Temas
Redes y entrega de contenido
Etiquetas
Amazon CloudFront
Idioma
English
preguntada hace 4 meses34 visualizaciones
1 Respuesta
0

Why Multi-Tenant CloudFront Distributions Don't Support Trusted Signers

I understand your frustration about the lack of Trusted Signers support in CloudFront's multi-tenant distributions. This limitation can indeed be a deal-breaker for applications that rely on this security mechanism. Let me explain why this limitation exists and what alternatives you might consider. Technical Reasons for the Limitation

The absence of Trusted Signers support in multi-tenant distributions stems from fundamental architectural differences:

Shared Configuration Model:
    Multi-tenant distributions are designed with a shared configuration approach across multiple domains/tenants
    Trusted Signers operate at the distribution level and are tied to specific AWS account IDs
    This creates an architectural conflict when trying to apply account-specific trusted signers across a shared distribution

Security Boundary Concerns:
    Trusted Signers use AWS account root credentials for key pair creation
    In a multi-tenant environment, this would potentially create security boundary issues between tenants
    AWS is likely avoiding this design to prevent potential cross-tenant security vulnerabilities

Operational Complexity:
    Managing multiple Trusted Signers across tenants would introduce significant operational complexity
    This contradicts the primary benefit of multi-tenant distributions: simplified management

Potential Alternatives for Your Application

Since Trusted Signers are a deal-breaker for your use case, here are some alternatives to consider:

  1. Use Trusted Key Groups Instead

CloudFront now recommends Trusted Key Groups over Trusted Signers for all distributions:

Better Security: No need for root account access to manage keys
Easier Management: Create and manage up to 10 public keys per key group
Key Rotation: Rotate keys without disrupting your distribution
IAM Integration: Manage permissions using standard IAM policies

Example implementation:

Create a public key

aws cloudfront create-public-key
--public-key-config file://public-key-config.json

Create a key group

aws cloudfront create-key-group
--key-group-config file://key-group-config.json

Associate with your distribution cache behavior

aws cloudfront update-distribution
--id DISTRIBUTION_ID
--distribution-config file://distribution-config.json

  1. Continue Using Single-Tenant Distributions

If Trusted Signers are absolutely essential for your security model:

Maintain your current single-tenant distribution architecture
Use CloudFront Functions or Lambda@Edge for tenant-specific customizations
Implement automation to manage multiple distributions efficiently

3. Implement Application-Level Authentication

Move authentication logic to your application or origin:

Implement token-based authentication at your origin server
Use Lambda@Edge to validate authentication tokens before serving content
Create a custom header validation system using CloudFront Functions

4. Hybrid Approach with AWS WAF

Combine CloudFront with AWS WAF for enhanced security:

Deploy a multi-tenant distribution with AWS WAF integration
Create tenant-specific rules using WAF rule groups
Implement token validation using WAF custom request handling

Business Considerations

When evaluating these alternatives, consider:

Operational Overhead:
    Single-tenant distributions require more management but offer more security flexibility
    Multi-tenant distributions simplify management but require alternative security approaches

Cost Implications:
    Multiple single-tenant distributions may cost more than a consolidated multi-tenant approach
    Additional services like Lambda@Edge or WAF will add to your overall costs

Security Requirements:
    Evaluate if Trusted Key Groups can meet your security requirements
    Consider if application-level authentication could provide equivalent security

Requesting Feature Enhancement

If Trusted Signers support is critical for your use case:

Submit a feature request through AWS Support
Provide detailed use cases and business impact
Engage with your AWS account team to advocate for this feature

While AWS hasn't publicly stated why they excluded Trusted Signers from multi-tenant distributions, the architectural and security considerations likely influenced this decision. For now, you'll need to evaluate the alternatives to determine the best path forward for your application's security requirements.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecurityAndPrivateContent.html

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-config-options.html

https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/authorize-access-at-the-edge-with-signed-url-and-cookies.html

AWS
respondido hace 4 meses
AWS
INGENIERO DE SOPORTE
revisado hace 4 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante