Cannot restrict access only for writing operations on CloudFront distribution.

0

An issue that I have is requesting a trusted key group for writing publicly readable files. If I expect a signed request, both reading and writing will pop a "missing key" error, and if I don't, they can be publicly read and written without credentials. I can't seem to be able to only expect a key for writing, while keeping reading public.

All I can do is choose a keygroup...

Enter image description here

Thanks in advance :)

  • I'm starting to get desperate here. I've tried a lot of different approaches, and none of them worked. It's a simple use case of publishing content, how come I'm struggling so much with it? I just want my users to publish their images on my website. It's a super simple use case. And yet AWS CloudFront, in all of its complexity, doesn't seem to provide the necessary framework to handle it. How come?

Mickael
質問済み 1年前305ビュー
2回答
0
承認された回答

In the end I just gave up and relied on authenticating on the back-end side with a user with full access to S3. This is apparently the only way to achieve this, even though it's far from ideal.

I honestly don't understand how such a simple use case is not covered by either CloudFront or S3's features...

Mickael
回答済み 1年前
0

CloudFront signed URL and Cookies might not be one that you are looking for. CloudFront Signed URL and Cookies are using Canned Policy and Custom Policy to make restrictions on the Signed requests. However the restriction is not applied on requesting HTTP methods. Values that you specify in the policy statement for a signed URL that uses a custom policy

What you wanted is authenticating and authorizing someone to do something while CloudFront Signed URL and Cookies are not giving the mechanism

Anyone having CloudFront Signed URL and Cookies will be able to access the requested object, even there is an IP restriction in the custom policy, because the IP could be a shared IP. CloudFront Signed URL and Signed Cookies should not be used for authorization purpose.

回答済み 1年前
  • I understood that. The authorization process is handled on my backend. The signed URL are returned by my backend upon successful authentication for the client to use to access the files. This works on "private" files because I want to use signed requests for both writing and reading operations.

    But for "public" files it doesn't, because I want these to be publicly accessible for reading, but not for writing. And you can't activate restrictions to signed requests only for writing operations in the behaviors. If you activated signed requests, it's for everything, read and write.

    So in the end I had to give up on the idea of using CloudFront for writing operations, and write directly to S3 instead using the AWS SDK. Which technically works, but isn't what I wanted...

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ