Unleashing the Power of CloudFront: Mastering Pre-Signed URLs for Secure Content Delivery
In the vast realm of cloud computing, content delivery is crucial for fast, reliable, and secure distribution of digital assets. Leading this revolution is CloudFront, AWS’s powerful CDN. But how can you enhance your content delivery? Introducing Pre-Signed URLs, an ingenious solution that grants temporary access to private content, offering flexibility and top-notch data protection.
In this article, we will unlock the secrets behind (1) CloudFront, (2) Pre-signed URL (3) CloudFront Pre-Signed URL and (4) Cache and Custom Policy
keywords — Content Delivery Network(CDN), CloudFront, Pre-Signed URL, Cache, AWS, Policy, Boto3
CloudFront
CloudFront is a service provided by Amazon Web Services (AWS) that helps deliver website content, such as images, videos, and web pages, to people around the world. When someone visits a website for the first time, CloudFront stores the web content at all the edge location, when someone visits the website again, they get the content served from the closest edge location. This makes the content load faster because it doesn’t have to travel long distances. CloudFront also helps protect websites from things like cyber attacks and excessive traffic.
You can follow the steps below to configure CloudFront distribution:
- Sign in to AWS management console and search CloudFront.
- On CloudFront main page, click on “Create distribution”. You will be redirected to the configuration page, as shown below:
3. You can select many origin domain like S3, Application Load balancer, API gateway etc. But for me I am selecting S3 as I have to deliver images in CDN. In origin path, you can provide path to the folder in which the CDN will look for images or keep it empty. Name contains for name of this CDN.
4. On scrolling, you will see Origin Access section, which allows CloudFront to read from a resource, you can select “Legacy access identities” and create new Origin access identity(OAI) by clicking “Create new OAI”. Under bucket policy select “Yes, update the bucket policy”.
5. Lastly in the WAF section select “Do not enable security protections”. There are many more options in CloudFront, but we will keep all other options as default and click “Create distribution”. You can learn configuring other options from AWS official documentation.
6. Once the CDN is deployed you will get a CDN URL, which will look something like “https://domain.cloudfront.net”. You can view images by adding image ID at the end of the CloudFront URL. Example: https://somedomain.cloudfront.net/imageID.extension
7. One of the problem, with this CDN is that anyone can access it, and can use our images from any server, if they know the image ID. We will try to solve this issue with signed URL in this article.
Pre-signed URL
A pre-signed URL is a URL that grants temporary access to an object, without requiring the requester to have credentials on those secure objects. When you generate a pre-signed URL, you specify an expiration time, after which the URL is no longer valid. Anyone who has the pre-signed URL can use it to access the object for the duration specified. Below is an example of CloudFront pre-signed URL, which has a policy, signature and key ID.
We can generate pre-signed URL from S3 also, but that comes with many disadvantages:
- Limited caching: S3 pre-signed URLs provide direct access to the objects in your S3 bucket. This means that there is no caching mechanism in place.
- Lack of global edge locations: When using S3 pre-signed URLs, the requests are typically routed to the S3 bucket’s region. This can result in slower download speeds for users located far away from the region.
- Limited control over access control: With S3 pre-signed URLs, you have limited control over access control and content delivery. You can only specify the expiration time and optionally limit access to specific IP addresses.
- Missing content protection features: S3 pre-signed URLs do not provide built-in content protection features such as URL tokenization or URL obfuscation. This means that if a pre-signed URL is intercepted or shared, anyone with that URL can access the content until it expires.
CloudFront Pre-Signed URL
CloudFront Pre-Signed URL can be generated by signing the URL with a RSA key, and eliminates all the limitations of S3 pre-signed URL. CloudFront signed URLs offer advantages such as content delivery acceleration, secure access to content, protection against unauthorized sharing, flexible access control policies, integration with custom logic, and compatibility with private content stored in Amazon S3. These features make CloudFront signed URLs a powerful tool for securely delivering and controlling access to your content distributed through CloudFront.
We have already create a CloudFront distribution, now we will modify some configuration in order to generate signed URL for the same.
- To generate a signed URL, first we need RSA keys the private key will be used by server to sign a URL, and public key will be stored in the CloudFront for validation in the form of “Key group”.
- Once keys are set, now you go the behaviour settings, and under “Restrict viewer access” select “yes”, and select the “Trusted key groups”, you have created in Step 1, and save change.
3. Now, no one would be able to access to your object without a signature. You can use the code below to created CloudFront signed URL.
4. The signed URL generated using the above code will be available in the edge locations for 24 hours.
Cache and Custom Policy
Cache: As mentioned earlier, signed URLs have a default validity of 24 hours, which means the signed URL will not hit the object source, before that even, if the image has been changed or deleted from the source. In order to avoid this problem, we configure cache policy, that will increase the number of hit on the source and make the latest image available to the user. You can create a cache policy under the policies section, as given in the below image:
The above cache policy hit the source object every 60 seconds. Once this is created, you can attach this in the CloudFront under behaviour setting in “Cache key and origin requests”, as given in the below image.
Custom policy: We have previously created CloudFront signed URLs, but it is important to understand cache and custom policies for additional control and flexibility. As mentioned earlier, signed URLs have a default validity of 24 hours, which may be longer than desired in certain scenarios. For example, if you need a URL to be valid for only a few minutes or restrict access to a specific IP address, you would utilize a custom policy when signing the object. This allows you to define specific access rules and tailor the URL’s validity and permissions to meet your specific requirements.
In the code give in above image will create signed URL with custom policy, which allows a resource to be accessible by a particular IP for 24 minutes.
