How to restrict viewer access to your CloudFront distribution?

First to get the public key content, you first need to generate a key pair (a private key and a corresponding public key). Here's how you can do it using OpenSSL, a widely-used tool for this purpose:

  1. Install OpenSSL:

    • If you're on macOS, you likely already have OpenSSL installed. You can check by typing openssl version in the terminal.
    • On Linux, you can install it using your package manager, e.g., sudo apt-get install openssl for Debian/Ubuntu or sudo yum install openssl for CentOS.
    • On Windows, you can download a precompiled binary from the OpenSSL website.
  2. Generate a Private Key: Open a terminal or command prompt and run the following command:

    openssl genrsa -out private_key.pem 2048
    

    This will generate a 2048-bit RSA private key and save it to a file named private_key.pem.

  3. Generate the Corresponding Public Key: Run the following command:

    openssl rsa -pubout -in private_key.pem -out public_key.pem
    

    This will generate the public key and save it to a file named public_key.pem.

  4. Get the Public Key Content: You can display the content of the public key file using the cat command (or type on Windows):

    cat public_key.pem
    

    This will display the content of the public key, which will look something like this:

    -----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
    ... (more characters here) ...
    ...QIDAQAB
    -----END PUBLIC KEY-----
    

    Copy everything, including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines. This is the content you'll use when adding the public key to CloudFront.

Remember to securely store the private key (private_key.pem). You'll need it to sign URLs or cookies. Never expose or share the private key. Only the public key is safe to share or upload to services like CloudFront.

Great! Now that you have a key group with the public key added, you can use it to restrict viewer access to your CloudFront distribution. Here's how to proceed:

  1. Associate the Key Group with Your CloudFront Distribution:

    • Go to the CloudFront dashboard in the AWS Management Console.
    • Click on the ID of the distribution you want to modify.
    • Go to the "Behaviors" tab.
    • Select the default behavior (or the behavior you want to modify) and click the "Edit" button.
    • Scroll down to find the "Restrict Viewer Access (Use Signed URLs or Signed Cookies)" option.
    • Set it to "Yes".
    • For "Trusted Key Groups", select the key group you just created.
    • Click "Yes, Edit" or "Save" at the bottom to apply the changes.
  2. Sign Your URLs or Cookies: To serve content to your users, you'll need to generate signed URLs or signed cookies using the private key that corresponds to the public key you added to the key group. This ensures that only users with the signed URLs or cookies can access the content.

    • If you're using the AWS SDK, there are built-in methods to generate signed URLs.
    • If you're not using the AWS SDK, you can use OpenSSL and custom code to sign URLs.
  3. Test Access:

    • Try accessing a resource in your CloudFront distribution without a signed URL. You should get an access denied error.
    • Access the same resource using a signed URL. You should be able to view the content.
  4. Update S3 Bucket Policy (Optional but Recommended): It's a good practice to restrict direct access to the S3 bucket and only allow access via CloudFront. Update your S3 bucket policy to deny all requests except those coming from CloudFront.

Remember, the private key is sensitive. Always keep it secure and never expose it. Use it only on a secure server environment to generate signed URLs or cookies.

By following these steps, you've set up restricted access to your CloudFront distribution. Only users with the appropriate signed URLs or cookies will be able to access the content.