Signed URLs and Signed Cookies in AWS CloudFront using Python

AWS CloudFront gives you the ability to serve your content to users world-wide with low latency using the cache on the edge servers. But how can we additionally secure this content? Signed URLs and Signed Cookies can be used for that. In this article we will try both approaches for doing this.

Signed URL is for: cases where you want to give access to a single file, or your application does not support cookies.

Signed Cookies is for: cases where you want to give access to multiple files, or you don’t want to change the URLs as it is currently generated on your application.

We will:

3. Create a key pair on your system using the below command on terminal

4. Strip out the public key using below command

5. Print the public key using below command

6. Goto CloudFront console → Key Management → Public Keys -> Create public key

Enter the public key from Step 3 in the field and give a name.

7. Goto CloudFront console → Key Management → Key Groups -> Create Key Groups

Create a key group with the key we just created.

8. Goto CloudFront console → Create Distribution, Create a distribution using the S3 bucket as the origin.

Origin Domain : Select the S3 bucket name from Dropdown

S3 Bucket Access : Yes Use OAI (This allows CloudFront to access S3 while public access is blocked on the bucket)

Click on Create new OAI to create an OAI on the fly.

Bucket Policy: Yes, update the bucket policy

Restrict Viewer Access: Yes

Trusted Authorization Type: Trusted key groups (recommended)

Select the Key group created in previous step from drop down.

Default Root Object: awscat.jpg (This is so that we can test access easily, as just going to the CloudFront URL will load the root object in browser)

Wait for the CloudFront Distribution to be deployed. Note the Domain name.

Open the printed URL from a browser.

Below code snippet similarly creates a RSA signer and creates 3 cookies for the CloudFront request. Note down the cookie values and use them in the next step. Expiry date for the cookies is set as 2022-Oct-12. Change it if you are reading this after that date.

Now you can use a curl command like below to check the request from terminal. (Replace the domain url and the cookie values with actual values)

We can also run this request from Postman.

Hope this has been helpful!

Related posts:

The ones who are the mere mention of their name can light up a room full of people. The ones who seem to have a connection with every single person they have ever encountered. I want to be one of…

React can be best described as a JavaScript Library that can be utilized if you want to build or create user interfaces that are highly interactive and versatile. Through React, each state in your…

So you got yourself a job, working 9 to 5 and thought you’d be safe income wise. You make enough to pay your bills, fill the gas tank and maybe eat out a couple times per month without having to…