By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cannot restrict access only for writing operations on CloudFront distribution.

0

An issue that I have is requesting a trusted key group for writing publicly readable files. If I expect a signed request, both reading and writing will pop a "missing key" error, and if I don't, they can be publicly read and written without credentials. I can't seem to be able to only expect a key for writing, while keeping reading public.

All I can do is choose a keygroup...

Enter image description here

Thanks in advance :)

  • Mickael
    9 months ago

    I'm starting to get desperate here. I've tried a lot of different approaches, and none of them worked. It's a simple use case of publishing content, how come I'm struggling so much with it? I just want my users to publish their images on my website. It's a super simple use case. And yet AWS CloudFront, in all of its complexity, doesn't seem to provide the necessary framework to handle it. How come?

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
Mickael
asked 9 months ago213 views
2 Answers
0
Accepted Answer

In the end I just gave up and relied on authenticating on the back-end side with a user with full access to S3. This is apparently the only way to achieve this, even though it's far from ideal.

I honestly don't understand how such a simple use case is not covered by either CloudFront or S3's features...

Mickael
answered 9 months ago
0

CloudFront signed URL and Cookies might not be one that you are looking for. CloudFront Signed URL and Cookies are using Canned Policy and Custom Policy to make restrictions on the Signed requests. However the restriction is not applied on requesting HTTP methods. Values that you specify in the policy statement for a signed URL that uses a custom policy

What you wanted is authenticating and authorizing someone to do something while CloudFront Signed URL and Cookies are not giving the mechanism

Anyone having CloudFront Signed URL and Cookies will be able to access the requested object, even there is an IP restriction in the custom policy, because the IP could be a shared IP. CloudFront Signed URL and Signed Cookies should not be used for authorization purpose.

Jason Shen
answered 9 months ago
  • Mickael
    9 months ago

    I understood that. The authorization process is handled on my backend. The signed URL are returned by my backend upon successful authentication for the client to use to access the files. This works on "private" files because I want to use signed requests for both writing and reading operations.

    But for "public" files it doesn't, because I want these to be publicly accessible for reading, but not for writing. And you can't activate restrictions to signed requests only for writing operations in the behaviors. If you activated signed requests, it's for everything, read and write.

    So in the end I had to give up on the idea of using CloudFront for writing operations, and write directly to S3 instead using the AWS SDK. Which technically works, but isn't what I wanted...

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content