I am trying to set a WAF ACL on top of my CloudFront distribution.
Initial idea behind the implementation is the idea of having a Video On Demand streaming. So basically I do have a web application, which is hosted on my HTTP web server. The web application wants to access a specific video resources, stored in my previously configured S3 bucket. There is an AOI created on top of it, so my CloudFront distribution shares the files stored in a previously mentioned S3 bucket.
I do want to prevent access to the files that can be accessed through a CloudFront distribution URL, and limit the access so only my web server which hosts my web application, can read those files. All other potential attackers and users who does not access files via my web application, should be rejected.
I already created a AWS WAF ACL with the allow action access policy on my set of IPs (within set of IPs there is only my web server IP which hosts my web application listed) and associate it within a rule as well as associate my WAF ACL with a previously mentioned CloudFront distribution.
I am looking for a way to enable video download through CloudFront distribution only via my web application. I've looked in a signed URLs implementation, but I do have a problem because i need to specify my video URL link into my web application through a simple web form on course level, which does not enable me some sort of dynamically set a signed URL once I could generate it.
asked 5 months ago
AWS OFFICIALUpdated 2 years ago
Agree with kentrad that CORS is suggested approach but might not be enough to restrict access to authorized users. Just to point out, for Cloudfront to deliver your content to your users you can not use a WAF rules restricting access only to your webservers, your app will only deliver a cloudfront URL. If you need to limit access for a video for a period of time or only to your-app authorized users you would need Cloudfront signed URL or signed cookies.