Restricting access to CloudFront origin using session tag applied by Cognito Identity Pool


My app authenticates users through Cognito User Pools, and authorizes S3 request through a Cognito Identity Pool and attributes for access control to ensure users can only access their own files. The policy attached to authenticated users looks like this:

data "aws_iam_policy_document" "authenticated" {
  statement {
    effect = "Allow"

    principals {
      type        = "Federated"
      identifiers = [""]

    actions = [

    condition {
      test     = "StringEquals"
      variable = ""
      values   = []

    condition {
      test     = "ForAnyValue:StringLike"
      variable = ""
      values   = ["authenticated"]

resource "aws_iam_role" "authenticated" {
  name               = "cognito_authenticated"
  assume_role_policy = data.aws_iam_policy_document.authenticated.json

data "aws_iam_policy_document" "authenticated_role_policy" {
  statement {
    effect = "Allow"

    actions = [

    resources = [

This works, and now I'd like to put CloudFront in front of my bucket but I'm unsure what my best option is. I Googled a bit, and it seems I can either use signed cookies/URL's or use a CloudFront authorization@edge lambda.

Is there an option where I'm able to keep using my principal tags (tenant_id) that are applied to my users's temporary session? Either in an inline policy of a signed cookie/url or by attaching it to a Origin Access Control?

Useful links:

Sem respostas

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas