How to require CloudFront URL signing based on S3 object permission

Yes, it is possible to configure CloudFront to require signatures based on the ACL of the objects in S3.

To achieve this, you can use CloudFront's Origin Access Identity (OAI) feature. This feature allows you to create a special CloudFront user that can access your S3 bucket, while denying access to all other users.

setup instruction:

Create a new CloudFront distribution and set your S3 bucket as the origin.

In the "Origin Access Identity" section of the distribution settings, create a new identity and grant it read access to your S3 bucket.

In the S3 bucket permissions, update the bucket policy to grant read access to the CloudFront OAI.

Configure your CloudFront distribution to require signed URLs or cookies, depending on your requirements.

With this setup, CloudFront will only allow access to objects in your S3 bucket if the request is made through the CloudFront distribution and includes the required signature. Public objects in your S3 bucket will still be accessible without a signature, while private objects will only be accessible through the CloudFront distribution with the required signature.

Thank you for answering!

I have a question about this: "Configure your CloudFront distribution to require signed URLs or cookies" At this point, all URLs with the CloudFront URL will require signature, is that right?

What I would like: public -> https://123.cloudfront.net/public.jpg private -> https://123.cloudfront.net/private.jpg?[Signature_of_CloudFront]

But requiring signed URLs would affect both public/private URLs. I cannot just replace the hostname of S3 with CloudFront. Is there a solution? Thanks!