Securing Your Content with Amazon CloudFront Signed Urls

What Is Amazon CloudFront?

Amazon CloudFront is a content delivery web service. It integrates with other Amazon Web Services products to give developers and businesses an easy way to distribute content to end users with low latency, high data transfer speeds, and no minimum usage commitments. Amazon CloudFront is not a storage solution but a security overlay for Amazon S3 CDN.

What Is Amazon S3?

Amazon Simple Storage Service (Amazon S3) provides developers and IT teams with secure, durable, highly-scalable object storage. Amazon S3 is easy to use, with a simple web service interface to store and retrieve any amount of data from anywhere on the web.

What Are CloudFront Distributions?

A distribution is the delivery method CloudFront uses to distribute your content to the end user. There are 2 types of distributions available, Web Distributions and RTMP Distributions. So, what’s the difference?

Web Distributions are used for distributing static content like images, PDF files, excel and word doc files. These files can be distributed via HTTP or HTTPS.

RTMP distributions are using for streaming media files using Adobe Flash Media Server. An RTMP distribution allows an end user to begin playing a media file before the file has finished downloading from a CloudFront edge location.

So How Does It Work?

CloudFront URLs work by providing a layer between the end user and your Amazon S3 content URLs. Using the Signed URLs will essentially put a expiration time on the content so users cannot just copy your Amazon S3 URL for use in their own website.

Securing your data using Signed URLs actually involves quite a bit of programming work in order to pull off, but we won’t get into that here. There are a few steps you need to do in order to do this, which we will go over briefly.

Step 1: Adding your content

Adding your content is as simple as it gets. Simply log into you AWS account and go to your S3 server and upload your content as normal.

Step 2: Creating your distribution

To create your distribution log into your AWS account and go to the CloudFront portal and click the “Distributions” like on the left hand rail. Setup your distribution as you need, taking into account the type of content that you will be serving to your audience. Creating a distribution is as simple as filling out the form they provide. One important thing to note is that the radio button for Restrict Viewer Access (Use Signed URLs or Signed Cookies) MUST be checked as “YES”.

Step 3: Origin Access Identity

In order for your CloudFront account to work correctly you need to setup an Origin Access Identity which will provide you with a set of “Access Keys” used on the programming side of things in order to correctly sign your URLs.

Step 4: Programming

Now that your Amazon S3 bucket is setup and your CloudFront Distribution is setup, you have the hard job of actually creating your Signed URL in your code. Without this Signed URL CloudFront will not distribute the content to your end users. It is important that you do not expose your Amazon S3 content URL when securing your content. You should only be using your CloudFront Signed URL. For more information about how to actually achieve this from a code perspective you can follow along the developer documentation on the Amazon AWS Documentation site.

What Are Some Benefits?

Content Load Speed

When content is requested from your CloudFront account, Amazon will look up the users location and delivery your content based on the nearest data location center to the user. Amazon employs a worldwide network of datacenters for distributing your content. So a user in Florida will receive your content from a datacenter located in Florida.


Amazon CloudFront gives you the ability to lock down your content based on, not only an expiration time, but also based on a user’s IP Address. You can programmatically change the security features for each piece of content delivered based on the content policy specified when you create your Signed URL.


Amazon CloudFront has added access logs which show you details about every request delivered through Amazon CloudFront. They include a pretty complete group of stats including the object requested, the date and time of the request, the edge location serving the request, the client IP address, the referrer and the user agent. Amazon even offers a tool that you can use to analyze your logs.

New call-to-action