By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CloudFront - Blocking Access from Other Sites

0

Hello,

I'm looking for a way to configure my CloudFront in AWS to restrict access to files hosted on it. I need only two specific sites to have permission to use these files. How can I configure CloudFront to block access from all other sites and allow only these two?

I need to do this without using AWS WAF, and also without using cookies or signed files.

I want to use the CORS feature, or something similar.

Thank you for your help!

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
edusachs
asked 4 months ago167 views
1 Answer
0

Hi,

CloudFront has supported CORS headers since 2021. You can use it to block access.

profile picture
EXPERT
Dmytro Sirant
answered 4 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 4 months ago
  • edusachs
    4 months ago

    Hi Dmytro, I hope everything is going well with you.

    So far, I'm still having difficulties implementing the CORS rule. I'll detail what I've done so far in a test environment. Is there something I might be forgetting or doing incorrectly?

    To test Cross-Origin Resource Sharing (CORS), I implemented the following steps in a test environment:

    1 - I set up a new storage in Amazon S3, using the default creation settings.

    2 - I established a new distribution on Amazon CloudFront.

    3 - I restricted access to the S3 storage, allowing access only through CloudFront.

    4 - In the CloudFront distribution, I accessed the "Behaviors" section and edited the default configuration "Default (*)".

    5 - I created a new "Response headers policy".

    6 - This new policy was configured with the following specifications: 6.1 - Name: AllowedList-CORS 6.2 - I accessed the "Cross-origin resource sharing (CORS)" section. 6.3 - I activated the "Configure CORS" option. 6.4 - I customized the "Access-Control-Allow-Origin" option to "https://domain-south.com" 6.5 - I customized the "Access-Control-Allow-Methods" option for GET, POST, and OPTIONS. 6.6 - I checked the "Origin override" option.

    7 - Set up the policy named AllowedList-CORS in the "Response headers policy" section.

    8 - To evaluate the loading of an MP3 file, I created an 'index.html' file that contains the following code. This file was hosted on 'https://domain-east.com/index.html'. The MP3 file loaded successfully. Continue below.

  • edusachs
    4 months ago

    Note that I'm using fictional domains for illustration: I used 'https://domain-south.com' in the CORS configuration and 'https://domain-east.com/' for loading the MP3 file.

    <!DOCTYPE html> <html> <head> </head> <body> <audio controls> <source src="https://ID_HIDDED.cloudfront.net/sound.mp3" type="audio/mpeg"> </audio> </body> </html>

    ===

    Could you assist me in configuring CORS?

    Wishing you a Merry Christmas! Sincerely, Eduardo Sachs

  • Dmytro Sirant EXPERT
    4 months ago

    Try add crossorigin="anonymous" in your webpage, e.g. <audio crossorigin="anonymous" controls>, everything else looks good

  • edusachs
    4 months ago

    In fact, I have to do this on the CloudFront side, so that intruders can't use the files I have on CloudFront. You know?

  • Dmytro Sirant EXPERT
    4 months ago

    It looks like you don't understand what is CORS and what kind of protection it provides. I gave you answer based on the initial request of how use CORS feature. But if you looking to protect your files behind CloudFront the proper solutions is https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content