Cannot restrict access only for writing operations on CloudFront distribution.

0

An issue that I have is requesting a trusted key group for writing publicly readable files. If I expect a signed request, both reading and writing will pop a "missing key" error, and if I don't, they can be publicly read and written without credentials. I can't seem to be able to only expect a key for writing, while keeping reading public.

All I can do is choose a keygroup...

Enter image description here

Thanks in advance :)

  • I'm starting to get desperate here. I've tried a lot of different approaches, and none of them worked. It's a simple use case of publishing content, how come I'm struggling so much with it? I just want my users to publish their images on my website. It's a super simple use case. And yet AWS CloudFront, in all of its complexity, doesn't seem to provide the necessary framework to handle it. How come?

Mickael
已提问 1 年前306 查看次数
2 回答
0
已接受的回答

In the end I just gave up and relied on authenticating on the back-end side with a user with full access to S3. This is apparently the only way to achieve this, even though it's far from ideal.

I honestly don't understand how such a simple use case is not covered by either CloudFront or S3's features...

Mickael
已回答 1 年前
0

CloudFront signed URL and Cookies might not be one that you are looking for. CloudFront Signed URL and Cookies are using Canned Policy and Custom Policy to make restrictions on the Signed requests. However the restriction is not applied on requesting HTTP methods. Values that you specify in the policy statement for a signed URL that uses a custom policy

What you wanted is authenticating and authorizing someone to do something while CloudFront Signed URL and Cookies are not giving the mechanism

Anyone having CloudFront Signed URL and Cookies will be able to access the requested object, even there is an IP restriction in the custom policy, because the IP could be a shared IP. CloudFront Signed URL and Signed Cookies should not be used for authorization purpose.

已回答 1 年前
  • I understood that. The authorization process is handled on my backend. The signed URL are returned by my backend upon successful authentication for the client to use to access the files. This works on "private" files because I want to use signed requests for both writing and reading operations.

    But for "public" files it doesn't, because I want these to be publicly accessible for reading, but not for writing. And you can't activate restrictions to signed requests only for writing operations in the behaviors. If you activated signed requests, it's for everything, read and write.

    So in the end I had to give up on the idea of using CloudFront for writing operations, and write directly to S3 instead using the AWS SDK. Which technically works, but isn't what I wanted...

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则