How to Setup CloudFront with S3 bucket for Presigned URLs

viradiaharsh

Harsh Viradia

Posted on February 3, 2024

How to Setup CloudFront with S3 bucket for Presigned URLs

What is the meaning of Presigned URL?

A presigned URL in AWS is a dynamic solution designed for secure, time-limited access to specific resources within cloud environments. By generating a URL with temporary credentials, typically for objects stored in Amazon S3, it allows users or applications to perform specific actions like downloading or uploading files for a limited time. This method eliminates the need for sharing long-term access keys, reducing potential security risks. Pre-signed URLs find widespread application in scenarios where controlled access to sensitive data is essential, such as secure file sharing, temporary data retrieval, or granting short-term permissions to specific AWS resources. They serve as a flexible and secure mechanism, enhancing access management in cloud-based applications.

Here are the steps how to create CloudFront with S3 bucket for pre-signed URL.

Step 1: Create a Bucket

Host A private S3 Bucket with ACL enabled.

Image description

Step 2: Create a CloudFront Distribution

Open CloudFront Console and create distribution and in the origin select the S3 Bucket which we have created.

Image description

Now in the origin access, section the "Origin access control settings (recommended)" and click create new OAC and click on create.

Image description

Go to the cache behavior and in the viewer protocol policy selct the HTTP and HTTPS, and in the Allowed HTTP methods select "GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE". Now in the "Restrict viewer access" must be yes. Find attached screenshot

Image description

Step 3: Generate KeyID and Private key for CDN.

In the last step we have set "Restrict viewer access" yes, which means no one can access our bucket object with KeyID and Private which are going to generate in this step.

So first is open a Ubuntu machine and generate private-key and public-key for our CDN. For that hit bellow two commands in the ubuntu or any other linux machine.

openssl genrsa -out private_key.pem 2048
Enter fullscreen mode Exit fullscreen mode
openssl rsa -pubout -in private_key.pem -out public_key.pem
Enter fullscreen mode Exit fullscreen mode

After hitting this command there have been two files generated, public_key.pem and private_key.pem

copy the public_key.pem file content and go back to you AWS console and open CloudFront console in the new tab. And in the left panel you can find there is a option of public key.

Image description

now create public key and paste the in the key area and give name of that key.

Image description

Now below the public keys there is a option of key groups in the left panel.

Image description

Create a key group with that public key.

Image description

Now go back to our Cloudfront distribution tab where we left in the last step and click on the refresh button which is besides of key groups.

Image description

Now select the key group which we have created.

Image description

In the "Cache key and origin requests" section, select the "Cache policy and origin request policy" and select CachingOptimized.

Image description

Now in the "Response headers policy" create Response headers policy.

Image description

Now configure CORS, CORS is depending on the project and requirements so configure as required. Here I am providing one of my used CORS.

Image description

Note: never allow any http header on CORS if you are using pre-signed URL concept on production environment, if it is dev or staging environment then you can allow this.

Now navigate to setting and provide the domain name for s3 bucket and select the SSL for that then click on Create distribution.

Image description

We have created public_key.pem and private_key.pem, we have passed public key in our Cloud Front distribution but we have to pass private_key in our code. With this private key and the Key ID which we have copied earlier.

Note: For Node application I am providing one reference of code how to generate Pre Signed URL.

exports.getSignedURLS3 = async (req, res) => {
  var signingParams = {
    keypairId: process.env.AWSKEYPAIR,
    privateKeyString: process.env.AWSPRIVATEKEY,
    expireTime: Date.now() + 1000000
  }
  // Generating a signed URL
  var signedUrl = cfsign.getSignedUrl(
    'S3-Object-URL', 
    signingParams
  );
  res.send(signedUrl)
}
Enter fullscreen mode Exit fullscreen mode

Here AWSKEYPAIR means the KeyIP which we have copied, AWSPRIVATEKEY which we have generated through the code and S3-Object-URL where we are passing our object.

Thank you for your support!
Contact: https://www.linkedin.com/in/harsh-viradia/

💖 💪 🙅 🚩
viradiaharsh
Harsh Viradia

Posted on February 3, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related