AWS Developer Tools Blog

Accessing Private Content in Amazon CloudFront

Amazon CloudFront is an easy to use, high performance, and cost efficient content delivery service. With over 50 worldwide edge locations, CloudFront is able to deliver your content to your customers with low latency in any part of the world.

In addition to serving public content for anyone on the Internet to access, you can also use Amazon CloudFront to distribute private content. For example, if your application requires a subscription, you can use Amazon CloudFront’s private content feature to ensure that only authenticated users can access your content and prevent users from accessing your content outside of your application.

Accessing private content in Amazon CloudFront is now even easier with the AWS SDK for Java. You can now easily generate authenticated links to your private content. You can distribute these links or use them in your application to enable customers to access your private content. You can also set expiration times on these links, so even if your application gives a link to a customer, they’ll only have a limited time to access the content.

To use private content with Amazon CloudFront, you’ll need an Amazon CloudFront distribution with private content enabled and a list of authorized accounts you trust to access your private content. From the Create Distribution Wizard in the Amazon CloudFront console, start creating a web distribution. In the ”’Origin Settings”’ section, select an Amazon S3 bucket that you’ve created for private content only, and make sure you select the options as below:

This will set the permissions on your Amazon S3 bucket to protect your content from being accessed publicly, but still allow CloudFront to access your content.

Continue creating your distribution, and at the bottom of the Default Cache Behavior Settings section, make sure you enable the Restrict Viewer Access option and select self as the trusted signer. These are called trusted signers because you’re trusting URLs that are signed by them and allowing them to access your private content. In our example, we’re using self as the only trusted signer, which means that only your account can sign URLs to access your CloudFront private content.

The last thing you need to set up in your account is a CloudFront key pair. This is the public/private key pair that you’ll use to sign requests for your CloudFront private content. Any trusted signer that you configure for your CloudFront distribution will need to set up their own CloudFront key pair for their account in order to sign requests for your CloudFront private content. You can configure your CloudFront key pair through the Security Credentials page in the IAM console. Make sure you download your private key, and make a note of the key pair ID listed in the AWS Management Console.

Now that your account and distribution are configured, you’re ready to use the SDK to generate signed URLs for accessing your CloudFront private content. The CloudFrontUrlSigner class in the AWS SDK for Java makes it easy to create signed URLs that you and your customers can use to access your private content. In the following example, we create a signed URL that expires in 60 seconds and allows us to access the private foo/bar.html content in our CloudFront distribution.

// the DNS name of your CloudFront distribution, or a registered alias
String distributionDomainName;   
// the private key you created in the AWS Management Console
File cloudFrontPrivateKeyFile;
// the unique ID assigned to your CloudFront key pair in the console    
String cloudFrontKeyPairId;   
Date expirationDate = new Date(System.currentTimeMillis() + 60 * 1000);

String signedUrl = CloudFrontUrlSigner.getSignedURLWithCannedPolicy(
           Protocol.https, 
           distributionDomainName, 
           cloudFrontPrivateKeyFile,   
           “foo/bar.html”, // the resource path to our content
           cloudFrontKeyPairId, 
           expirationDate);

You can also attach additional policy restrictions to the presigned URLs you create with CloudFrontUrlSigner. The following example shows how to create a policy to restrict access to a CIDR IP range, which can be useful to limit access to your private content to users on a specific network:

// the DNS name of your CloudFront distribution, or a registered alias
String distributionDomainName;   
// the private key you created in the AWS Management Console
File cloudFrontPrivateKeyFile;
// the unique ID assigned to your CloudFront key pair in the console   
String cloudFrontKeyPairId;   
// the CIDR range limiting which IP addresses are allowed to access your content
String cidrRange; 
// the resource path to our content
String resourcePath  = "foo/bar.html";  
Date expirationDate = new Date(System.currentTimeMillis() + 60 * 1000);

String policy = buildCustomPolicyForSignedUrl(
                    resourcePath,
                    expirationDate,
                    cidrRange,
                    null);

String signedUrl = CloudFrontUrlSigner.getSignedURLWithCustomPolicy(
                    resourcePath,
                    cloudFrontKeyPairId,
                    cloudFrontPrivateKey,
                    policy);

Are you already an Amazon CloudFront customer? Have you tried out Amazon CloudFront private content yet?