AWS Cloudfront Signed URL still valid after expiry time

1

To generate AWS cloudfront signed url , I have enabled restrict viewer access --> Yes --> Trusted signer while creating distribution.

from datetime import datetime,timedelta, timezone

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from botocore.signers import CloudFrontSigner
import base64

CLOUDFRONT_KEY_BASE64 = "*******"
def rsa_signer(message):
    private_key_string = base64.b64decode(CLOUDFRONT_KEY_BASE64)
    private_key_ascii = private_key_string.decode('ascii')
    
    private_key = serialization.load_pem_private_key(
            private_key_ascii.encode('UTF-8'),
            password=None,
            backend=default_backend()
        )
    
    return private_key.sign(message, padding.PKCS1v15(), hashes.SHA1())

key_id = '*******'
url = 'https://*****.cloudfront.net/hello.pdf'
expire_date = datetime(2022, 4, 24,11,33)
cloudfront_signer = CloudFrontSigner(key_id, rsa_signer)
signed_url = cloudfront_signer.generate_presigned_url(url, date_less_than=expire_date)
print(signed_url)

The signed url is generated:

https://****.cloudfront.net/hello.pdf?Expires=1650799980&Signature=******&Key-Pair-Id=*****

This url works even after expiry time 2022-04-24 11:33:00 But when I generate URL of old date (2022-04-23), the url doesnot work. I checked with today date 2022-04-24 but older time 2022-04-24 07:33:00, url works even after expiry.

How to invalidate the signed url after expiry time?

asked 2 years ago1247 views
3 Answers
0

You've probably got this under control but just in case - note the expiry time is in GMT, so are you definitely checking after your local time is past 2022-04-24 11:33:00 GMT?

EXPERT
answered 2 years ago
  • I am checking after past 2022-04-24 11:33:00 GMT. With this signed url opens in android chrome browser but doesnot open in Windows chrome (clear all data).

0

I had the same issue, cloudfront signed url for private objects in s3 still valid after expiry date/time

example url

https://my-cdn.com/object-id.jpg?Expires=1666654240446&Key-Pair-Id=XXX&Signature=XXX
Ghani
answered a year ago
0

Hi Techxonia!

Thank you for reaching out to us with your concern. When you create a presigned URL, you can specify an expiration time, after which the signed URL you created will not work. In your case, however, it seems to be that even after this set expiration time the link is still valid.

The reason that this is happening is because the expiration time for the pre-signed URL is checked by S3, and if the browser / proxy you are using has the file cached (Cloudfront in this case), then the request doesn't go to S3, it will go to the cache first. If the entry exists in the cache, then that is why you are able to see it after the expiry date. The same user can access the URL after the expiry date, until the cache expires.

Additional Solutions if the above explanation is not sufficient and you would like to delete it:

  1. Delete the file so that it doesn't exist anymore.

  2. You can create a presigned URL for temporary S3 objects, so that once the expiry time hits, the S3 temporary object is automatically deleted, and therefore it is not accessible after the expiry date.

  3. Can change the file's permissions to remove access for the users who shouldn't have access. Can use the AWS CLI or the SDK to do so.

Example: aws s3api put-object-acl --bucket my-bucket --key my-file.txt --acl private --grant-read "emailaddress=user@example.com"

This command sets the file's ACL to private, meaning that only the owner has access to it. And we also remove read access to the file for the person at the email address.

Conclusion: All in all, the issue likely resolves in the fact that the data is being stored in the cache and when using the presigned URL, you are getting the info from the cache rather than from where the information lies and this is why you are seeing it work even after the expiry is done. To triple check if this is the case, you can open an incognito (private) browser and open the link there.

AWS
Varun_S
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions