AWS CloudFront Signed URL CORS

Question

Hi All,

Cloud Front Config: Signed URL expires after 7 minutes, Cache policy TTL is set 100 seconds. 
I am able to create the Signed URL and everything is working fine.

My use case: I want to increase the validity of Signed URL from 7 days to 1 day. Cache policy remains the same. But to so is risky as user took make a database of images. I have a frontend server running at 0.1.0.1
I want my Cloud Front signed URL to working only on the server(0.1.0.1). Just like we add security at our back-end to work only if the request is from a particular server.

Please let me know if this is a possible scenario, or we could also do something else. 
I am 1st year student trying to learn AWS, so I am new in the field, please be humble with your response.

Accepted Answer

Thanks for details. Not sure if I completely understand the requirement, but you could certainly restrict the access from a range of IP addresses and extend the validity using custom policy. Here's an example: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-statement-example-one-object

Please feel free to provide more details in case of further questions, thank you.

Answer

You are already using Signed URl's if I understand correctly and what you want now is to secure your front-end server to only allow requests coming from Amazon CloudFront. Is that correct?
If this is the case you can use custom headers to be added to the request to your front-end servers and only requests that have the custom header will be served. See the following documentation: 
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-overview.html
Look at the section - Restricting access to files on custom origins

AWS CloudFront Signed URL CORS

Contenus pertinents