Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I use access control and authentication to restrict content delivery for CloudFront distributions?

4 minute read
0

I want to restrict access to content in my Amazon CloudFront distribution.

Short description

To restrict access to private content in your CloudFront distribution, use signed URLs or signed cookies.

If you require only basic authentication with a username and password, then use Lambda@Edge or CloudFront Functions to set up basic authentication.

To restrict access based on IP address or geographic location, configure CloudFront to allow or block requests.

To set up secure user authentication with an identity provider, use Lambda@Edge to integrate CloudFront with OpenID Connect (OIDC).

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Use signed URLs or signed cookies

Signed URLs embed encrypted signatures in URLs to provide temporary access to individual files. Use signed URLs to secure access to specific resources.

CloudFront issues signed cookies to clients to allow access to multiple files under a path. Use signed cookies for broader access control.

Note: Signed URLs and signed cookies use cryptographic key pairs that you create and associate with your distribution.

To use signed URLs or signed cookies, complete the following steps:

Create a key pair

Create a key pair and upload the key pair to CloudFront.

Create a trusted key group

  1. Open the CloudFront console.
  2. In the navigation pane, under Key management, choose Key groups.
  3. Choose Create key group.
  4. For Name, enter a name for your key group.
  5. For Public keys, choose a key.
  6. Choose Create key group.

Configure your distribution

Update your distribution to use your trusted key group for signed URLs or signed cookies. For more information about how to configure your distribution, see Cache behavior settings.

Generate signed URLs or signed cookies

To generate signed URLs, run the following sign AWS CLI command:

aws cloudfront sign \
    --url "https://your-distribution-domain.cloudfront.net/path/to/file.pdf" \
    --key-pair-id "YOUR_KEY_PAIR_ID" \
    --private-key file://path/to/your/private-key.pem \
    --date-less-than "2024-12-31T23:59:59"

For additional options such as IP restrictions, see Options in the AWS CLI Command Reference.

Note: You can also create signed URLs for third-party tools.

To generate signed cookies, use an AWS SDK for your language. For code examples, see Create signed cookies using PHP and Create signed URLs and cookies using an AWS SDK.

Use the signed URLs or signed cookies

Include the signed URLs or signed cookies in requests to CloudFront.

Use Lambda@Edge to set up basic authentication

Note: You must create custom code to use Lambda@Edge to implement your authentication logic.

Complete the following steps:

  1. Create an AWS Lambda function to handle authentication for viewer requests.
  2. In the function's code, inspect request headers, validate credentials, and allow or deny the request. For an example function, see Example: Redirect unauthenticated users to a sign-in page.
  3. Use triggers to associate the function with your distribution's behavior.

Use CloudFront Functions to set up basic authentication

Note: You must create custom code to use CloudFront Functions to implement your authentication logic.

Complete the following steps:

  1. Create a CloudFront Function to authenticate viewer requests.
  2. In the function's code, inspect headers, validate credentials, and allow or deny requests. For an example function, see Validate a simple token in a CloudFront Functions viewer request.
  3. Associate the function with your distribution's behavior.

Configure CloudFront to allow or block requests based on client IP address or geographic location

Take one of the following actions:

  • To create restrictions based on IP access control, use AWS WAF to define IP address allowlists and denylists for your distribution.
  • To create restrictions based on geographic location, restrict access to your content based on the country that the requests originate from.

Note: AWS WAF and geographic restriction apply only to the distribution level and not to cache behavior.

Use Lambda@Edge to integrate CloudFront with OIDC

Note: For the integration, you must implement the OIDC authentication flow in your application and obtain an ID token to include in requests to CloudFront.

Complete the following steps:

  1. Create a Lambda function to validate the OIDC ID token in viewer requests.
  2. In the function's code, inspect the authorization header, validate the ID token, and allow or deny the request.
  3. Associate the function with your distribution's behavior.

Related information

Authorization@Edge – How to Use Lambda@Edge and JSON Web Tokens to Enhance Web Application Security

External Server Authorization with Lambda@Edge

Securing CloudFront distributions using OpenID Connect and AWS Secrets Manager

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
AWS OFFICIALUpdated 10 months ago
No comments

Relevant content