Harsh Viradia
Posted on February 3, 2024
What is the meaning of Presigned URL?
A presigned URL in AWS is a dynamic solution designed for secure, time-limited access to specific resources within cloud environments. By generating a URL with temporary credentials, typically for objects stored in Amazon S3, it allows users or applications to perform specific actions like downloading or uploading files for a limited time. This method eliminates the need for sharing long-term access keys, reducing potential security risks. Pre-signed URLs find widespread application in scenarios where controlled access to sensitive data is essential, such as secure file sharing, temporary data retrieval, or granting short-term permissions to specific AWS resources. They serve as a flexible and secure mechanism, enhancing access management in cloud-based applications.
Here are the steps how to create CloudFront with S3 bucket for pre-signed URL.
Step 1: Create a Bucket
Host A private S3 Bucket with ACL enabled.
Step 2: Create a CloudFront Distribution
Open CloudFront Console and create distribution and in the origin select the S3 Bucket which we have created.
Now in the origin access, section the "Origin access control settings (recommended)" and click create new OAC and click on create.
Go to the cache behavior and in the viewer protocol policy selct the HTTP and HTTPS, and in the Allowed HTTP methods select "GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE". Now in the "Restrict viewer access" must be yes. Find attached screenshot
Step 3: Generate KeyID and Private key for CDN.
In the last step we have set "Restrict viewer access" yes, which means no one can access our bucket object with KeyID and Private which are going to generate in this step.
So first is open a Ubuntu machine and generate private-key and public-key for our CDN. For that hit bellow two commands in the ubuntu or any other linux machine.
openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
After hitting this command there have been two files generated, public_key.pem and private_key.pem
copy the public_key.pem file content and go back to you AWS console and open CloudFront console in the new tab. And in the left panel you can find there is a option of public key.
now create public key and paste the in the key area and give name of that key.
Now below the public keys there is a option of key groups in the left panel.
Create a key group with that public key.
Now go back to our Cloudfront distribution tab where we left in the last step and click on the refresh button which is besides of key groups.
Now select the key group which we have created.
In the "Cache key and origin requests" section, select the "Cache policy and origin request policy" and select CachingOptimized.
Now in the "Response headers policy" create Response headers policy.
Now configure CORS, CORS is depending on the project and requirements so configure as required. Here I am providing one of my used CORS.
Note: never allow any http header on CORS if you are using pre-signed URL concept on production environment, if it is dev or staging environment then you can allow this.
Now navigate to setting and provide the domain name for s3 bucket and select the SSL for that then click on Create distribution.
We have created public_key.pem and private_key.pem, we have passed public key in our Cloud Front distribution but we have to pass private_key in our code. With this private key and the Key ID which we have copied earlier.
Note: For Node application I am providing one reference of code how to generate Pre Signed URL.
exports.getSignedURLS3 = async (req, res) => {
var signingParams = {
keypairId: process.env.AWSKEYPAIR,
privateKeyString: process.env.AWSPRIVATEKEY,
expireTime: Date.now() + 1000000
}
// Generating a signed URL
var signedUrl = cfsign.getSignedUrl(
'S3-Object-URL',
signingParams
);
res.send(signedUrl)
}
Here AWSKEYPAIR means the KeyIP which we have copied, AWSPRIVATEKEY which we have generated through the code and S3-Object-URL where we are passing our object.
Thank you for your support!
Contact: https://www.linkedin.com/in/harsh-viradia/
Posted on February 3, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.