CloudFront Signed Cookies let you grant time-limited access to private content without modifying the content itself or requiring users to log into your application.
Let’s see them in action. Imagine you have a set of private images stored in an S3 bucket, and you want to share them with specific users for a limited time.
# First, generate a private key and a public key pair.
# For example, using openssl:
openssl genrsa -out cf_private_key.pem 2048
openssl rsa -pubout -in cf_private_key.pem -out cf_public_key.pem
# Next, upload the public key to AWS IAM and associate it with your CloudFront distribution.
# In the AWS Console, navigate to IAM -> Access management -> Policies -> Create policy.
# Then, navigate to CloudFront -> Distributions -> [Your Distribution] -> Edit -> Yes -> Trusted Key Groups.
# Create a new Trusted Key Group and upload your cf_public_key.pem.
# Note the Key Group ID.
# Now, let's create a signed cookie. We'll use a hypothetical script for this.
# In a real-world scenario, you'd use an AWS SDK or a custom script.
# --- Hypothetical Python Script Snippet ---
import datetime
from aws_cdk.aws_cloudfront import SignedCookies
# Assume you have your private key content and key pair ID
private_key_content = "-----BEGIN RSA PRIVATE KEY-----\n...\n-----END RSA PRIVATE KEY-----"
key_pair_id = "YOUR_KEY_PAIR_ID" # From IAM
# Define the files to be accessed and their expiration time
policy = SignedCookies.policy(
{
"url": "https://your-cloudfront-domain.com/private/image1.jpg",
"url": "https://your-cloudfront-domain.com/private/image2.png",
},
expires=datetime.datetime.utcnow() + datetime.timedelta(hours=1)
)
# Generate the signed cookies
signed_cookies = SignedCookies.sign_cookies(
policy,
key_pair_id=key_pair_id,
private_key=private_key_content
)
# The 'signed_cookies' dictionary will contain cookie names and values like:
# {
# "CloudFront-Policy-YOUR_KEY_PAIR_ID": "eyJoZWFkZXIiOiJ7...",
# "CloudFront-Signature-YOUR_KEY_PAIR_ID": "abcdef12345...",
# "CloudFront-Key-Pair-Id-YOUR_KEY_PAIR_ID": "YOUR_KEY_PAIR_ID"
# }
# --- End Hypothetical Script Snippet ---
# When a user requests these files, their browser will send these cookies.
# CloudFront will then validate the cookies and grant access to the specified files.
The core problem CloudFront Signed Cookies solve is controlled, time-bound access to content stored in S3 that you serve through CloudFront. Instead of making your S3 objects public or managing user authentication on your own servers to control access, you offload that authorization to CloudFront itself. It acts as a gatekeeper, verifying that the request comes from a user who has been granted a temporary pass.
Internally, CloudFront uses a public-key cryptography mechanism. You create a key pair (a private key you keep secret and a public key you give to CloudFront). When you want to grant access, you construct a "policy" that specifies which files can be accessed and for how long. This policy is then signed with your private key. The resulting signature, along with the policy itself and your public key’s identifier, are sent to the user’s browser as HTTP cookies. When the user makes a request to CloudFront for a protected resource, CloudFront examines these cookies. It uses your public key to verify the signature against the policy. If everything matches and the expiration time hasn’t passed, access is granted.
The key levers you control are the expiration time of the access and the specific files or paths that are accessible. You can be very granular. For instance, you can allow access to a single image for only 5 minutes, or to a whole directory of videos for 24 hours. The expires parameter in the policy is a strict UTC timestamp. The resource field within the policy can be a single URL or a list of URLs, and you can use wildcards for path matching (e.g., /private/*). The ip_address field can also be used to restrict access to specific IP addresses.
What most people don’t realize is that the cookie names themselves are dynamic. They are not just CloudFront-Policy but CloudFront-Policy-YOUR_KEY_PAIR_ID. This is crucial because if you have multiple key pairs associated with your distribution (which is less common but possible), CloudFront needs to know which key pair’s public key to use for verification based on the cookie it receives. This prevents cookie collisions and ensures the correct validation process.
The next concept you’ll likely explore is CloudFront Signed URLs, which achieve a similar goal but use URL parameters instead of cookies.