By using AWS re:Post, you agree to the Terms of Use

Cloudfront with a Lambda@Edge pointing to a private S3


I'm trying to setup a Cloudfront distribution to a S3 bucket using a OAI policy for access to S3 so that I can require connections via CloudFront. This is so I can use a Lambda@Edge to enforce some basic security to keep bots and the basic scans out. It's for a "staging" environment that shouldn't be 100% public for clients to give their approvals for launch.

However, I keep running into "SignatureDoesNotMatch" errors when using the CloudFront URL. It seems when you toggle "Restrict Bucket Access" in CloudFront that it's requiring a Signed URL or a Signed Cookie which I don't want. I just want to be able to access a private S3 bucket with the OAI policy and use a Lambda@Edge to set a "Basic Auth" policy. My code to do the basic auth works, but as soon as I turn on "Restrict Bucket Access" and turn S3 to private it all breaks and I start getting the above "SignatureDoesNotMatch" error.

Is there anyway to get a OAI policy to get to a private S3 bucket while still leaving the CloudFront distribution "public" and relying on the Lamba@Edge shim as my gatekeeper? I don't want requests to be able to by-pass CloudFront and use S3 URLs.

Edited by: rhavenn on Oct 2, 2020 9:25 AM

asked 2 years ago50 views
1 Answer

Egh. Still don't understand why it's not working and I'm getting errors, but I did find the radio button for the Signed Cookies, etc...and that was off. So, it is possible to do this. OAI access policy, but "public" from the CloudFront side.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions