Skip to content

aws-samples/amazon-cloudfront-keygroup-signed-url-sample

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits

assets

assets

 
 

bin

bin

 
 

images

images

 
 

lambda

lambda

 
 

lib

lib

 
 

test

test

 
 

.gitignore

.gitignore

 
 

.npmignore

.npmignore

 
 

CODE_OF_CONDUCT.md

CODE_OF_CONDUCT.md

 
 

CONTRIBUTING.md

CONTRIBUTING.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

cdk.json

cdk.json

 
 

jest.config.js

jest.config.js

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

tsconfig.json

tsconfig.json

 
 

Repository files navigation

Amazon CloudFront Key Group Signed URL Sample

This sample demonstrates how to create Amazon CloudFront signed urls using CloudFront Key Groups and CloudFront Public Keys.

Architecture

Architecture

  1. The admin user will invoke the rotate keys AWS Lambda when required.
  2. The rotate keys AWS Lambda will use the current symmetric key from AWS Key Management Service to call GenerateDataKeyPair which will be converted to PEM format
  3. The generated private key PEM is stored in AWS Secrets Manager to be used later when signing URLs
  4. The generated public key PEM is stored as a CloudFront Public key. The CloudFront Key Group is also updated with the new Public key.
  5. The admin user will invoke the sign url AWS Lambda to generate a CloudFront signed url for each file required by the end user.
  6. The sign url AWS Lambda will request the current private key PEM file from AWS Secrets Manager
  7. The sign url AWS Lambda will get the current public key from the associated Amazon CloudFront distributions key group and sign the url
  8. The admin user will send the signed url to the user
  9. The user will access the signed url through Amazon CloudFront
  10. Amazon CloudFront validates the signed url and access the Amazon S3 bucket returning the results to the user

Requirements

  1. AWS Cloud Development Kit (CDK) 2.53.0 or higher
  2. AWS CLI for testing commands

Setup

  1. Git clone this repository
  2. From the root folder for this project run npm ci to install all packages required
  3. From the root folder for this project run cdk deploy to deploy

Running

  1. Once deployed the CloudFormation stack will create two outputs RotateKeysLambdaInvokeCommand and SignUrlLambdaInvokeCommand. These outputs are the cli commands to rotate the keys and to sign a url.
  2. The CloudFormation deployment will perform the initial key rotation by invoking RotateKeysLambdaInvokeCommand.
  3. To test the creation of a signed url please copy the SignUrlLambdaInvokeCommand cli command into your console and run. This command will produce an output with a signed url. Copy the signed url into your browser of choice to view the 'Hello World' example page via a signed url.
  4. The second output RotateKeysLambdaInvokeCommand can run via your console to invoke the key rotation lambda.

Useful commands

  • npm run build compile typescript to js
  • npm run watch watch for changes and compile
  • npm run test perform the jest unit tests
  • cdk deploy deploy this stack to your default AWS account/region
  • cdk diff compare deployed stack with current state
  • cdk synth emits the synthesized CloudFormation template

Resource Cleanup

  1. From the root folder for this project run cdk destroy

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

About

Sample for Amazon CloudFront signed urls using Key Groups and Public Keys

Topics

aws keypair signed signed-url cloudfront

Resources

Readme

License

MIT-0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

3 stars

Watchers

4 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages