Restricting access to video content using cloudfront


we host exclusive content on our platform. only specific users that meet certain criteria are intended to have access to the content. we authenticate the users.

we would like to know how we can ensure that authenticated users are unable to share the link generated to give them access to the content stored in s3 bucket. any suggestions or documentation we can study on how to prevent users from sharing the link?

2 Answers


I believe you want to ensure that authenticated users are unable to share the link generated to give them access to the content stored in your S3 bucket. I would advise to restrict access to content that you serve from Amazon S3 bucket, users will only be able to access your files through CloudFront, not directly from the S3 bucket.

You will need to Create a special CloudFront user called an origin access identity (OAI) and associate it with your distribution. Configure your S3 bucket permissions so that CloudFront can use the OAI to access the files in your bucket and serve them to your users. Make sure that users can’t use a direct URL to the S3 bucket to access a file there. In addition, I have provided a documentation with guided steps to restricting access to Amazon S3 [1].

Refer for References


answered a year ago


To ensure your site URLs are accessed by authenticated users you can configure CloudFront to require that users access your files using either signed URLs or signed cookies. You need to develop your application to determine whether a user should have access to your content and if so, to send three Set-Cookie headers to the viewer on your application, you send them the Set-Cookie headers to the viewer before the viewer requests your cloudfront private content.

You can make use of a signed URL works similar to the signed cookies where in one part of a signed URL or a signed cookie is to restricts access to only authorized users who have the correct authentication credentials like the private key from a public–private key pair. When someone uses a signed URL or signed cookie to access a file, CloudFront compares the signed and unsigned portions of the URL or cookie. If they don't match CloudFront doesn't serve the file [1]. This method can help prevent unauthorized users from accessing the link for accessing the video content provided you specify the IP address or range of addresses authorized during URL signing.

When you create signed URLs or signed cookies to control access to your files, you can specify the following restrictions:

  1. An ending date and time, after which the URL is no longer valid.
  2. (Optional) The date and time that the URL becomes valid.
  3. (Optional) The IP address or range of addresses of the computers that can be used to access your content.

You can create a signed URL using custom or a canned policy, step by step guidance provided in link [2] and [3].

Additional: You can use web access control lists (web ACLs) which are part of the AWS Web Application Firewall to give you a fine-grained control over the web requests that you make to your Amazon CloudFront distribution [4]. You can allow or block traffic requests based on rules you set i.e Originate from an IP address or a range of IP addresses. For step by step guidance on how to configure the web ACLs kindly refer to link [5].


[1] Restricting access to files in CloudFront caches

[2] Creating a signed URL using a canned policy

[3] Creating a signed URL using a custom policy

[4] Web ACLs

[5] Conditions specify when you want to allow or block requests.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions