Can we add Domain/CORS Restrictions in AWS Cloudfront

0

I am developing an application that is hosted in www.domain.com I have a file in AWS CloudFront distribution whose URL is https://d3i8l5x7lbda7h.cloudfront.net/coffee.jpg I want to add a restriction that the files in this distribution can be accessible when this URL is called inside from a page in www.domain.com, like some cross-origin resource sharing (CORS) restrictions. is it possible, if possible how can we implement this functionality?

Also, the file should not be accessible when we are directly hitting the URL it should be accessible through only components from www.domain.com

Example of real-world scenario:

Let user1 is the authenticated(user who signs into the website) and user user2 is the unauthorized user

Even if we use a pre-signed URL or signed cookie, let's assume the URL and cookie are shared by user1 to user2 or user2 gets it in some other way, user2 can access the file without signing in to the website

we should be able to restrict that, user2 should only access the file after signing in to the website

I tried to implement CORS through custom response header, but it is not working, I am attaching configuration bellow is there any problem? Enter image description here

1 Answer
0

To answer the specific question of "files in this distribution can be accessible when this URL is called inside from a page in www.domain.com", you could use a CloudFront Function [1] for that. I wouldn't say this is a security measure, but it's certainly a restriction that can be put in place.

You'd want to check for two things:

  • The Origin header must be present
  • The value of the Origin header must be www.domain.com

When those conditions aren't met, you can force a 403 response. You can Publish this CloudFront Function and have it be triggered on Viewer Request events.

That aside, this is still true: "let's assume the URL and cookie are shared by user1 to user2 or user2 gets it in some other way, user2 can access the file without signing in to the website". All user2 would have to do is include the Origin header with the expected value when making a request to the CloudFront URL.

I think the takeaway is, if your credentials or signed URLs are leaked, unauthorized users will be able to access your protected resources with little effort even if you validate the Origin header. It might be worth investing into finding out ways to make the credentials more secure.

[1] https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cloudfront-functions.html

profile picture
Marco
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions