- Newest
- Most votes
- Most comments
To answer the specific question of "files in this distribution can be accessible when this URL is called inside from a page in www.domain.com", you could use a CloudFront Function [1] for that. I wouldn't say this is a security measure, but it's certainly a restriction that can be put in place.
You'd want to check for two things:
- The
Origin
header must be present - The value of the
Origin
header must bewww.domain.com
When those conditions aren't met, you can force a 403 response. You can Publish this CloudFront Function and have it be triggered on Viewer Request events.
That aside, this is still true: "let's assume the URL and cookie are shared by user1 to user2 or user2 gets it in some other way, user2 can access the file without signing in to the website". All user2
would have to do is include the Origin
header with the expected value when making a request to the CloudFront URL.
I think the takeaway is, if your credentials or signed URLs are leaked, unauthorized users will be able to access your protected resources with little effort even if you validate the Origin
header. It might be worth investing into finding out ways to make the credentials more secure.
[1] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html
Relevant content
- Accepted Answerasked 2 years ago
- asked 4 years ago
- asked 10 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a month ago