├── .gitignore
├── 1-Create_S3_Bucket
    ├── README.md
    └── sample.html
├── 2-Create_CloudFront_Distribution
    └── README.md
├── 3-Create_CloudFront_Key_Groups
    └── README.md
├── 4-Create_Secrets_Manager
    └── README.md
├── 5-Create_CloudFront_SignedURL_Canned
    ├── README.md
    ├── cf_signedurl_canned.js
    ├── cf_signedurl_canned_event.json
    └── lambda_role_policy.json
├── 6-Create_CloudFront_SignedURL_Custom
    ├── README.md
    ├── cf_signedurl_custom.js
    ├── cf_signedurl_custom_event.json
    ├── lambda_role_policy.json
    └── newsample.html
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── LICENSE-SAMPLECODE
├── LICENSE-SUMMARY
├── NOTICE
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | *.pem
3 | 


--------------------------------------------------------------------------------
/1-Create_S3_Bucket/README.md:
--------------------------------------------------------------------------------
 1 | ## Step 1: Create Amazon S3 Bucket
 2 | 
 3 | In this step you will stage a private Amazon S3 bucket with a sample HTML file.
 4 | 
 5 | **Note**: Amazon S3 routes any virtual hosted–style requests to the US East (N. Virginia) region by default if you use the US East (N. Virginia) endpoint (s3.amazonaws.com). When you create a new bucket, in any region, Amazon S3 updates DNS to reroute the request to the correct region, which might take time when using Amazon CloudFront for distribution in later section. For the purpose of this exercise, you will create a new bucket in AWS **region** `us-east-1`. Detailed explanation of **AWS Virtual hosting of buckets** is provided in [AWS User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html).
 6 | 
 7 | ### Create S3 Bucket
 8 | 1. Log into your AWS account and navigate to the [Amazon S3 Management Console](https://s3.console.aws.amazon.com/).
 9 | 2. Choose **Create Bucket**.
10 | 3. Provide a name for **Bucket name**.
11 | 4. Select **US East (N. Virginia) us-east-1** for **AWS Region** .
12 | 5. Leave everything as default.
13 | 6. Choose **Create bucket** to create the bucket.
14 | 7. Choose the bucket you just created.
15 | 8. Choose **Upload**.
16 | 9. Choose **Add files**.
17 | 10. Choose the included sample file `sample.html` from your local drive.
18 | 11. Choose **Upload** to upload the file.
19 | 
20 | You successfully created an Amazon S3 bucket and uploaded a sample HTML file. However if you try to access the sample HTML file using the S3 object URL, like `https://yourbucket.s3-us-east-1.amazonaws.com/sample.html`, in your browser you will get an access denied message. This is exactly what you want. You want to keep your S3 contents private and will only distribute them using an Amazon CloudFront distribution.
21 | 
22 | In [Step 2](../2-Create_CloudFront_Distribution/README.md), you will create the Amazon CloudFront Distribution.
23 | 


--------------------------------------------------------------------------------
/1-Create_S3_Bucket/sample.html:
--------------------------------------------------------------------------------
1 | <html>
2 | <header><title>CloudFront Signed URLs</title></header>
3 | <body>
4 |   <h3>Create Amazon CloudFront Signed URLs with Secrets Manager and Lambda</h3>
5 |   <h2>This is sample.html</h2>
6 | </body>
7 | </html>
8 | 


--------------------------------------------------------------------------------
/2-Create_CloudFront_Distribution/README.md:
--------------------------------------------------------------------------------
 1 | ## Step 2: Create Amazon CloudFront Distribution
 2 | 
 3 | In this step you will create an Amazon CloudFront distribution with your Amazon S3 bucket created in Step 1 as source. You will also restrict access to the bucket by using an [Origin Access Identity (OAI)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html).
 4 | 
 5 | ### Create Distribution
 6 | 1. Log into your AWS account and navigate to the [Amazon CloudFront Management Console](https://console.aws.amazon.com/cloudfront).
 7 | 2. Choose **Create Distribution**.
 8 | 3. Under Web, choose **Get Started**.
 9 | 4. For **Origin Domain Name** choose your Amazon S3 Bucket from Step 1.
10 | 5. For **Origin access** choose **Origin access control settings**.
11 | 6. For **Origin access control** choose **Create control setting**.
12 | 7. For **Signing behavior** choose **Sign requests**. Leave **Do not override authorization header** unchecked. Choose **Create** to continue.
13 | 8. Leave everything else as default and choose **Create Distribution**.
14 | 9. In the distribution view, choose **Origins** tab.
15 | 10. In the **Origins** tab, select the origin you just created and choose **Edit**.
16 | 11. In the **Edit origin** view, choose **Copy policy** to copy the S3 bucket policy to your clipboard.
17 | 12. Add the S3 bucket policy to your S3 bucket.
18 | 13. In the distribution details screen, note the **Distribution Status**. Wait for the status to change from **In Progress** to **Deployed**. It can take upward of 5 minutes for the process to complete.
19 | 14. Under **Domain Name** copy the FQDN, similar to `dxxxxxxxxxz.cloudfront.net`.
20 | 
21 | ### Test Public Distribution
22 | You want to test to verify that the distribution is setup correctly and has access to the Amazon S3 contents.
23 | 
24 | Use your browser and enter the URL https://dxxxxxxxxxz.cloudfront.net/sample.html. Remember to replace the domain name with your FQDN. Your sample webpage should come up correctly. However, anyone with your URL can access your Amazon S3 contents.
25 | 
26 | ### Secure Distribution
27 | Next you want to secure the Amazon CloudFront distribution to restrict public access.
28 | 1. Choose the **Distribution ID** to open the detail view.
29 | 2. Choose the **Behaviors** tab.
30 | 3. Select the default **Origin or Origin Group** and choose **Edit**.
31 | 4. Under **Restrict Viewer Access (Use Signed URLs or Signed Cookies)** choose **Yes** to expand the **Trusted Key Groups or Trusted Signer** option.
32 | 5. Under **Trusted Key Groups or Trusted Signer**, select **Trusted Signer**. (Note: you will change this to **Trusted Key Groups** in later section.)
33 | 6. Under **Trusted Signers** select **Self**.
34 | 7. Choose **Yes, Edit** to save the changes.
35 | 
36 | ### Test Secured Distribution
37 | Now you want to test to verify that the distribution is restricted. Refresh the webpage and you should see the error message:
38 | > Missing Key-Pair-Id query parameter or cookie value
39 | 
40 | In this step you created an Amazon CloudFront distribution to distribute your Amazon S3 private contents. You then secured the distribution by using the **Restrict Viewer Access** option.  
41 | 
42 | In [Step 3](../3-Create_CloudFront_Key_Groups/README.md), you will create the **CloudFront Key Groups**
43 | 


--------------------------------------------------------------------------------
/3-Create_CloudFront_Key_Groups/README.md:
--------------------------------------------------------------------------------
 1 | ## Step 3: Create CloudFront Key Group
 2 | 
 3 | In this step you will create a trusted [CloudFront key group](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#choosing-key-groups-or-AWS-accounts). First you will create a public-private key pair. The key pair must meet the following requirements:
 4 | - It must be an SSH-2 RSA key pair.
 5 | - It must be in base64-encoded PEM format.
 6 | - It must be a 2048-bit key pair.
 7 | 
 8 | 
 9 | ### Create Key Pair
10 | There are different ways to create an RSA key pair. The following steps use OpenSSL to create a key pair.
11 | 1. The following example command uses OpenSSL to generate an RSA key pair with a length of 2048 bits and save to the file named `private_key.pem`.
12 | ```
13 | $ openssl genrsa -out private_key.pem 2048
14 | ```
15 | 2. The resulting file contains both the public and the private key. The following example command extracts the public key from the file named `private_key.pem` and save to the file named `public_key.pem`.
16 | ```
17 | $ openssl rsa -pubout -in private_key.pem -out public_key.pem
18 | ```
19 | 
20 | ### Upload Public Key
21 | 1. On [Amazon CloudFront Management Console](https://console.aws.amazon.com/cloudfront)
22 | 2. In the navigation menu, choose **Public keys**.
23 | 3. Choose **Add public key**.
24 | 4. In the **Add public key** window, complete the following and choose **Add**.
25 |   - For **Key name**, type a name to identify the public key.
26 |   - For **Key value**, copy and paste the contents of the public key. If you followed the steps in the preceding procedure, the public key is in the file named `public_key.pem`.
27 |   - (Optional) For **Comment**, add a comment to describe the public key.  
28 | 5. Record the public key ID. You will use it later section.
29 | 
30 | ### Create Key group
31 | 1. In the navigation menu, choose **Key groups**.
32 | 2. Choose **Add key group**.
33 | 3. On the **Create key group** page, do the following:
34 |  - For **Key group name**, type a name to identify the key group.
35 |  - (Optional) For **Comment**, type a comment to describe the key group.
36 |  - For **Public keys**, select the public key to add to the key group, then choose **Add**.
37 | 4. Choose **Create key group**.
38 | 
39 | ### Associate Key group
40 | 1. In the navigation menu, choose **Distributions**.
41 | 2. Choose the **Distribution ID** link you created in Step 2.
42 | 3. Choose the **Behaviors** tab.
43 | 4. Select the cache behavior and then choose **Edit**.
44 | 5. On the **Edit Behavior** page, do the following:
45 |  - For **Trusted Key Groups or Trusted Signer**, choose **Trusted Key Groups**.
46 |  - For **Trusted Key Groups**, choose the key group to add, and then choose **Add**.
47 | 6. Choose **Yes, Edit** to update the cache behavior.
48 | 
49 | In this step you generated a public-private key pair, created a CloudFront Key group with a public key, and associated the Key group to your CloudFront distribution.
50 | 
51 | In [Step 4](../4-Create_Secrets_Manager/README.md) we will create a secret in **AWS Secrets Managers**.
52 | 


--------------------------------------------------------------------------------
/4-Create_Secrets_Manager/README.md:
--------------------------------------------------------------------------------
 1 | ## Step 4: Create Secrets Manager
 2 | 
 3 | In this step you will create a secret in **AWS Secrets Manager**. Up to this point, you have used **Amazon S3** and **Amazon CloudFront**, which are AWS global services. As **AWS Secrets Manager** and **AWS Lambda** are regional services, you will need to pick an AWS **region** to use for the remainder of this sample.
 4 | 
 5 | ### Create a Secret
 6 | 1. Open the [AWS Secrets Manager Management Console](https://us-west-2.console.aws.amazon.com/secretsmanager).
 7 | 2. Select an AWS **region**.
 8 | 3. Choose **Store a new secret**.
 9 | 4. For **Select secret type**, select **Other type of secrets**.
10 | 5. For **Specify the key/value pairs to be stored in this secret** select **Plaintext**.
11 | 6. Copy and paste the contents of the private key in the file named **private_key.pem** from previous step.
12 | 7. Choose **Next**.
13 | 8. For **Secret name**, provide a name.
14 | 9. Choose **Next**.
15 | 10. Leave rotation as **Disable automatic rotation** as checked.
16 | 11. Choose **Next**.
17 | 12. Choose **Store**.
18 | 13. Select your **Secret** to view the details.
19 | 13. Record both the **Secret name** and **Secret ARN**. You will need them for the next step.
20 | 
21 | In this step you configured **AWS Secrets Manager** to store the CloudFront private key to be consumed by a downstream client. Next you will configure an **AWS Lambda** function to generate CloudFront signed URLs. We provide steps for both CloudFront canned and custom polices.
22 | 
23 | [Step 5: Create CloudFront SignedURL with Canned Policy](../5-Create_CloudFront_SignedURL_Canned/README.md)  
24 | [Step 6: Create CloudFront SignedURL with Custom Policy](../6-Create_CloudFront_SignedURL_Custom/README.md)
25 | 


--------------------------------------------------------------------------------
/5-Create_CloudFront_SignedURL_Canned/README.md:
--------------------------------------------------------------------------------
 1 | ## Step 5: Create CloudFront Signed URL with Canned Policy
 2 | 
 3 | In this step you will use **AWS Lambda** to create **Amazon CloudFront Signed URLs** with a **Canned Policy**. Click [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html) for detailed information about canned and custom policies.
 4 | 
 5 | ### Create Lambda Function
 6 | 1. Log into your AWS account and navigate to the [AWS Lambda Management Console](https://us-west-2.console.aws.amazon.com/lambda/home?region=us-west-2#/functions).
 7 | 2. Select the same AWS **Region** that you use for **AWS Secrets Manager**.
 8 | 3. Choose **Create function**.
 9 | 4. Select **Author from scratch**.
10 | 5. For **Function name**, provide a name.
11 | 6. For **Runtime**, select **Node.js 12.x**.
12 | 7. For **Execution role** under **Change default execution role**, select **Create a new role with basic Lambda permissions**.
13 | 8. Choose **Create functions**.
14 | 9. Replace the Lambda `index.js` codes with the codes from `cf_signedurl_canned.js`.
15 | 10. Add the following **Environmental variables** to the function:  
16 |  - awsRegion: "us-west-2" //Replace with your Region  
17 |  - amazonCloudFrontKeyPairId: "K2XXXXXXXXXXXX" //From Step 3  
18 |  - awsSecretsManagerSecretName: "your_secret_name" //From Step 4
19 | 11. **Save** and **Deploy** the function.
20 | 12. Since the newly created Lambda role does **NOT** have permission to access **AWS Secrets Manager**, you will need to update the role in [IAM](https://console.aws.amazon.com/iam) to include the permission below. The complete policy is included in `lambda_role_policy.json`. Remember to replace the Resource ARN with your Secret ARN from Step 4.
21 | ```
22 | {
23 |     "Effect": "Allow",
24 |     "Action": "secretsmanager:GetSecretValue",
25 |     "Resource": "arn:aws:secretsmanager:us-west-2:8xxxxxxxxxx6:secret:your_secret_name"
26 | }
27 | ```
28 | 13. Before you can test the function, you will need to create a test event. For the canned policy you will need a base URL and an expiration time. Create a sample test event as shown below, which is also included in `cf_signedurl_canned_event.json`. Replace the domain with your CloudFront FQDN. Note that we appended two dummy query strings `q1` and `q2` for illustration purpose only. You can omit the query strings, but remember to keep the trailing `?`.
29 | ```
30 | {
31 |   "baseUrl": "https://d1hxxxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc",
32 |   "expiration": "12/12/2021 12:30:30 EST"
33 | }
34 | ```
35 | 
36 | ### Test Lambda Function
37 | 1. In the Lambda function, choose **Test** to test the function. If the function is created correctly, you should get the following response:
38 | ```
39 | {
40 |   "cfSignedUrl": "https://d1hxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc&Expires=1639330230&Signature=mwa~5jyg-5G.....YYjXcwQ__&Key-Pair-Id=APKAIUJUXXXXXXXXXXXX"
41 | }
42 | ```
43 | 2. Copy and paste the `cfSignuredUrl` into your browser. The webpage should render as expected.
44 | 
45 | 3. Try changing the expiration date to earlier than **now** and you should see an access denied message.
46 | 
47 | In this step you configured a Lambda function to create **CloudFront Signed URLs** using a canned policy. You signed the canned policy with the CloudFront private key stored in **AWS Secrets Manager**. Now your application can generate **CloudFront Signed URLs** by invoking the Lambda function through, for example **AWS API Gateway** or **AWS AppSync**.
48 | 
49 | [Step 6: Create CloudFront SignedURL with Custom Policy](../6-Create_CloudFront_SignedURL_Custom/README.md)
50 | 


--------------------------------------------------------------------------------
/5-Create_CloudFront_SignedURL_Canned/cf_signedurl_canned.js:
--------------------------------------------------------------------------------
 1 | const AWS = require('aws-sdk');
 2 | const secretsManager = new AWS.SecretsManager({region: process.env.awsRegion});
 3 | const crypto = require('crypto');
 4 | const replacementChars = {'+':'-', '=':'_', '/':'~'}
 5 | const getKeyFromSecretsManager = () => {
 6 |   return new Promise((resolve, reject) => {
 7 |     secretsManager.getSecretValue({SecretId: process.env.awsSecretsManagerSecretName}, (err, data) => {
 8 |     if (err) {
 9 |       console.log ("Get Secret Error", err);
10 |       return reject(err)
11 |     }
12 |     console.log("Private key retrieved");
13 |     return resolve(data.SecretString);
14 |     });
15 |   });
16 | }
17 | 
18 | exports.handler = async (event, data, callback) => {
19 | 
20 |   let expiration = new Date(event.expiration)/1000|0;
21 |   let cannedPolicy = {
22 |     "Statement":[
23 |       {
24 |         "Resource": event.baseUrl,
25 |         "Condition":{
26 |           "DateLessThan":{
27 |             "AWS:EpochTime": expiration
28 |           }
29 |         }
30 |       }
31 |     ]
32 |   };
33 |   cannedPolicy = JSON.stringify(cannedPolicy);
34 | 
35 |   let encodedPolicy = new Buffer.from(cannedPolicy).toString("base64");
36 |   encodedPolicy = encodedPolicy.replace(/[+=/]/g, m => replacementChars[m]);
37 | 
38 |   const signer = crypto.createSign('RSA-SHA1');
39 |   signer.update(cannedPolicy);
40 |   let signedPolicy = signer.sign(await getKeyFromSecretsManager(), 'base64');
41 |   signedPolicy = signedPolicy.replace(/[+=/]/g, m => replacementChars[m]);
42 |   
43 |   const paramDelimiter = (event.baseUrl.indexOf('?') === -1) ? '?' : '&';
44 |   const cfSignedUrl = `${event.baseUrl}${paramDelimiter}Expires=${expiration}&Signature=${signedPolicy}&Key-Pair-Id=${process.env.amazonCloudFrontKeyPairId}`;
45 | 
46 |   const response = {
47 |     cfSignedUrl: cfSignedUrl
48 |   };
49 |   callback(null,response);
50 | }
51 | 


--------------------------------------------------------------------------------
/5-Create_CloudFront_SignedURL_Canned/cf_signedurl_canned_event.json:
--------------------------------------------------------------------------------
1 | {
2 |   "baseUrl": "https://d1hxxxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc",
3 |   "expiration": "12/12/2021 12:30:30 EST"
4 | }
5 | 


--------------------------------------------------------------------------------
/5-Create_CloudFront_SignedURL_Canned/lambda_role_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Version": "2012-10-17",
 3 |     "Statement": [
 4 |         {
 5 |             "Effect": "Allow",
 6 |             "Action": "logs:CreateLogGroup",
 7 |             "Resource": "arn:aws:logs:us-west-2:81xxxxxxxxxx:*"
 8 |         },
 9 |         {
10 |             "Effect": "Allow",
11 |             "Action": [
12 |                 "logs:CreateLogStream",
13 |                 "logs:PutLogEvents"
14 |             ],
15 |             "Resource": [
16 |                 "arn:aws:logs:us-west-2:815551942346:log-group:/aws/lambda/cfSignedURL-canned:*"
17 |             ]
18 |         },
19 |         {
20 |             "Effect": "Allow",
21 |             "Action": "secretsmanager:GetSecretValue",
22 |             "Resource": "arn:aws:secretsmanager:us-west-2:8xxxxxxxxxx6:secret:your_secret_name"
23 |         }
24 |     ]
25 | }
26 | 


--------------------------------------------------------------------------------
/6-Create_CloudFront_SignedURL_Custom/README.md:
--------------------------------------------------------------------------------
 1 | ## Step 6: Create CloudFront Signed URL with Custom Policy
 2 | 
 3 | In this step you will use **AWS Lambda** to create **Amazon CloudFront Signed URLs** with a **Custom Policy**. Click [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html) for detailed information about canned and custom policies.
 4 | 
 5 | ### Create Lambda Function
 6 | 1. Log into your AWS account and navigate to the [AWS Lambda Management Console](https://us-west-2.console.aws.amazon.com/lambda/home?region=us-west-2#/functions).
 7 | 2. Select the same AWS **Region** that you use for **AWS Secrets Manager**.
 8 | 3. Choose **Create function**.
 9 | 4. Select **Author from scratch**.
10 | 5. For **Function name**, provide a name.
11 | 6. For **Runtime**, select **Node.js 12.x**.
12 | 7. For **Execution role** under **Change default execution role**, select **Create a new role with basic Lambda permissions** or **Use an existing role**.
13 |   - For **Use an existing role** select the same role you created and updated in Step 5.
14 | 8. Select **Create functions**
15 | 9. Replace the Lambda index.js codes with the codes from `cf_signedurl_custom.js`
16 | 10. Add the following **Environmental variables** to the function:  
17 |  - awsRegion: "us-west-2" //Replace with your Region  
18 |  - amazonCloudFrontKeyPairId: "K2XXXXXXXXXXXX" //From Step 3  
19 |  - awsSecretsManagerSecretName: "your_secret_name" //From Step 4
20 | 11. **Save** and **Deploy** the function
21 | 12. Skip this step if you are using the same Lambda execution role from Step 5.  
22 | Since the newly created Lambda role does **NOT** have permission to access **AWS Secrets Manager**, you will need to update the role in [IAM](https://console.aws.amazon.com/iam) to include the permission below. The complete policy is included in `lambda_role_policy.json`. Remember to replace the Resource ARN with your Secret ARN from Step 4.
23 | ```
24 | {
25 |     "Effect": "Allow",
26 |     "Action": "secretsmanager:GetSecretValue",
27 |     "Resource": "arn:aws:secretsmanager:us-west-2:8xxxxxxxxxx6:secret:your_secret_name"
28 | }
29 | ```
30 | 13. Before we can test the function, you will need to create a Lambda test event. For the custom policy you will need the base URL, an expiration time, a start date/time and an IP address. Create a test event as shown below, which is also included in `cf_signedurl_custom_event.json`. Replace the domain with your CloudFront FQDN. Note that we appended two dummy query strings `q1` and `q2` for illustration purpose only. You can omit the query strings, but remember to keep the trailing `?`.
31 | ```
32 | {
33 |   "baseUrl": "https://d1hxxxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc",
34 |   "expiration": "12/07/2021 12:30:30 EST",
35 |   "startDateTime": "12/07/2020 05:00:05 PST",
36 |   "allowedIpAddress": "0.0.0.0/0"
37 | }
38 | ```
39 | 
40 | ### Test Lambda Function
41 | 1. In the Lambda function, choose **Test** to test the function. If the function is created correctly, you will get the following response:
42 | ```
43 | {
44 |   "cfSignedUrl": "https://d1xxxxxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc&Policy=eyJTdGF0Z.....YYjXcwQ__&Key-Pair-Id=APKAIUJUXXXXXXXXXXXX"
45 | }
46 | ```
47 | 2. Copy and paste the `cfSignuredUrl` into your browser. The webpage should render as expected.
48 | 
49 | 3. Next you will do a second test to demonstrate the wildcard URL feature that you can use with **Custom Policy**. Modify the test event by replacing `"sample.html"` with `"*"`. The test event should look like below:
50 | ```
51 | {
52 |   "baseUrl": "https://d1hxxxxxxxxxx.cloudfront.net/*?q1=123&q2=abc",
53 |   "expiration": "12/07/2021 12:30:30 EST",
54 |   "startDateTime": "12/07/2020 05:00:05 PST",
55 |   "allowedIpAddress": "0.0.0.0/0"
56 | }
57 | ```
58 | 4. Choose **Test** to generate a new Signed URL as below:
59 | ```
60 | {
61 |   "cfSignedUrl": "https://d1xxxxxxxxxxxx.cloudfront.net/*?q1=123&q2=abc&Policy=eyJTdGF0Z.....YYjXcwQ__&Key-Pair-Id=APKAIUJUXXXXXXXXXXXX"
62 | }
63 | ```
64 | 5. Copy and paste the `cfSignuredUrl` into your browser. You will get an access denied error. This is expected because there is no such file `"*"` file in your Amazon S3 bucket.
65 | 6. In the browser, replace `"*"` with `"sample.html"` and hit enter. The webpage should render correctly now.
66 | 7. Let's do another test by uploading a new file `"newsample.html"` to your Amazon S3 bucket.
67 | 8. In the browser, replace `"sample.html"` with `"newsample.html"` and hit enter. The new webpage should render correctly as well.
68 | 9. Try changing the date or IP address and see how it affects the access.
69 | 
70 | With a custom policy using a wildcard `*`, you can use the signed URL with multiple files based on matching pattern. In the example above where we used an URL `"https://d1xxxxxxxxxxxx.cloudfront.net/*"`, any of the URLs below would work:
71 | 
72 | `"https://d1xxxxxxxxxxxx.cloudfront.net/anyS3object"`  
73 | `"https://d1xxxxxxxxxxxx.cloudfront.net/path1/anyS3object"`  
74 | `"https://d1xxxxxxxxxxxx.cloudfront.net/path1/path.../anyS3object"`  
75 | 
76 | For a more limited URL like `"https://d1xxxxxxxxxxxx.cloudfront.net/path1/*/sample.html"`, the follow URLs would render the `"sample.html"`:
77 | 
78 | `"https://d1xxxxxxxxxxxx.cloudfront.net/path1/path2/sample.html"`  
79 | `"https://d1xxxxxxxxxxxx.cloudfront.net/path1/path2/path3/path4/sample.html"`  
80 | 
81 | In this step you configured a Lambda function to create **CloudFront Signed URLs** using a custom policy. You signed the custom policy with the CloudFront private key stored in **AWS Secrets Manager**. Now your application can generate **CloudFront Signed URLs** by accessing the Lambda function through, for example **AWS API Gateway** or **AWS AppSync**.
82 | 


--------------------------------------------------------------------------------
/6-Create_CloudFront_SignedURL_Custom/cf_signedurl_custom.js:
--------------------------------------------------------------------------------
 1 | const AWS = require('aws-sdk');
 2 | const secretsManager = new AWS.SecretsManager({region: process.env.awsRegion});
 3 | const crypto = require('crypto');
 4 | const replacementChars = {'+':'-', '=':'_', '/':'~'}
 5 | const getKeyFromSecretsManager = () => {
 6 |   return new Promise((resolve, reject) => {
 7 |     secretsManager.getSecretValue({SecretId: process.env.awsSecretsManagerSecretName}, (err, data) => {
 8 |     if (err) {
 9 |       console.log ("Get Secret Error", err);
10 |       return reject(err)
11 |     }
12 |     console.log("Private key retrieved");
13 |     return resolve(data.SecretString);
14 |     });
15 |   });
16 | }
17 | 
18 | exports.handler = async (event, data, callback) => {
19 | 
20 |   let expiration = new Date(event.expiration)/1000|0;
21 |   let startDateTime = new Date(event.startDateTime)/1000|0;
22 |   let customPolicy = {
23 |     "Statement":[
24 |       {
25 |         "Resource": event.baseUrl,
26 |         "Condition":{
27 |           "IpAddress": {
28 |             "AWS:SourceIp": event.allowedIpAddress
29 |           },
30 |           "DateLessThan":{
31 |             "AWS:EpochTime": expiration
32 |           },
33 |           "DateGreaterThan": {
34 |             "AWS:EpochTime": startDateTime
35 |           }
36 |         }
37 |       }
38 |     ]
39 |   };
40 |   customPolicy = JSON.stringify(customPolicy);
41 | 
42 |   let encodedPolicy = new Buffer.from(customPolicy).toString("base64");
43 |   encodedPolicy = encodedPolicy.replace(/[+=/]/g, m => replacementChars[m]);
44 | 
45 |   const signer = crypto.createSign('RSA-SHA1');
46 |   signer.update(customPolicy);
47 |   let signedPolicy = signer.sign(await getKeyFromSecretsManager(), 'base64');
48 |   signedPolicy = signedPolicy.replace(/[+=/]/g, m => replacementChars[m]);
49 | 
50 |   const paramDelimiter = (event.baseUrl.indexOf('?') === -1) ? '?' : '&';
51 |   const cfSignedUrl = `${event.baseUrl}${paramDelimiter}Policy=${encodedPolicy}&Signature=${signedPolicy}&Key-Pair-Id=${process.env.amazonCloudFrontKeyPairId}`;
52 | 
53 |   const response = {
54 |     cfSignedUrl: cfSignedUrl
55 |   };
56 |   callback(null,response);
57 | }
58 | 


--------------------------------------------------------------------------------
/6-Create_CloudFront_SignedURL_Custom/cf_signedurl_custom_event.json:
--------------------------------------------------------------------------------
1 | {
2 |   "baseUrl": "https://d1hxxxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc",
3 |   "expiration": "12/07/2021 12:30:30 EST",
4 |   "startDateTime": "12/07/2020 05:00:05 PST",
5 |   "allowedIpAddress": "0.0.0.0/0"
6 | }
7 | 


--------------------------------------------------------------------------------
/6-Create_CloudFront_SignedURL_Custom/lambda_role_policy.json:
--------------------------------------------------------------------------------
 1 | {
 2 |     "Version": "2012-10-17",
 3 |     "Statement": [
 4 |         {
 5 |             "Effect": "Allow",
 6 |             "Action": "logs:CreateLogGroup",
 7 |             "Resource": "arn:aws:logs:us-west-2:81xxxxxxxxxx:*"
 8 |         },
 9 |         {
10 |             "Effect": "Allow",
11 |             "Action": [
12 |                 "logs:CreateLogStream",
13 |                 "logs:PutLogEvents"
14 |             ],
15 |             "Resource": [
16 |                 "arn:aws:logs:us-west-2:815551942346:log-group:/aws/lambda/cfSignedURL-canned:*"
17 |             ]
18 |         },
19 |         {
20 |             "Effect": "Allow",
21 |             "Action": "secretsmanager:GetSecretValue",
22 |             "Resource": "arn:aws:secretsmanager:us-west-2:8xxxxxxxxxx6:secret:your_secret_name"
23 |         }
24 |     ]
25 | }
26 | 


--------------------------------------------------------------------------------
/6-Create_CloudFront_SignedURL_Custom/newsample.html:
--------------------------------------------------------------------------------
1 | <html>
2 | <header><title>CloudFront Signed URLs</title></header>
3 | <body>
4 |   <h3>Create Amazon CloudFront Signed URLs with Secrets Manager and Lambda</h3>
5 |   <h2>This is newsample.html</h2>
6 | </body>
7 | </html>
8 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Guidelines for contributing
 2 | 
 3 | Thank you for your interest in contributing to AWS documentation! We greatly value feedback and contributions from our community.
 4 | 
 5 | Please read through this document before you submit any pull requests or issues. It will help us work together more effectively.
 6 | 
 7 | ## What to expect when you contribute
 8 | 
 9 | When you submit a pull request, our team is notified and will respond as quickly as we can. We'll do our best to work with you to ensure that your pull request adheres to our style and standards. If we merge your pull request, we might make additional edits later for style or clarity.
10 | 
11 | The AWS documentation source files on GitHub aren't published directly to the official documentation website. If we merge your pull request, we'll publish your changes to the documentation website as soon as we can, but they won't appear immediately or automatically.
12 | 
13 | We look forward to receiving your pull requests for:
14 | 
15 | * New content you'd like to contribute (such as new code samples or tutorials)
16 | * Inaccuracies in the content
17 | * Information gaps in the content that need more detail to be complete
18 | * Typos or grammatical errors
19 | * Suggested rewrites that improve clarity and reduce confusion
20 | 
21 | **Note:** We all write differently, and you might not like how we've written or organized something currently. We want that feedback. But please be sure that your request for a rewrite is supported by the previous criteria. If it isn't, we might decline to merge it.
22 | 
23 | ## How to contribute
24 | 
25 | To contribute, send us a pull request. For small changes, such as fixing a typo or adding a link, you can use the [GitHub Edit Button](https://blog.github.com/2011-04-26-forking-with-the-edit-button/). For larger changes:
26 | 
27 | 1. [Fork the repository](https://help.github.com/articles/fork-a-repo/).
28 | 2. In your fork, make your change in a branch that's based on this repo's **master** branch.
29 | 3. Commit the change to your fork, using a clear and descriptive commit message.
30 | 4. [Create a pull request](https://help.github.com/articles/creating-a-pull-request-from-a-fork/), answering any questions in the pull request form.
31 | 
32 | Before you send us a pull request, please be sure that:
33 | 
34 | 1. You're working from the latest source on the **master** branch.
35 | 2. You check [existing open](https://github.com/awsdocs/${GITHUB_REPO}/pulls), and [recently closed](https://github.com/awsdocs/${GITHUB_REPO}/pulls?q=is%3Apr+is%3Aclosed), pull requests to be sure that someone else hasn't already addressed the problem.
36 | 3. You [create an issue](https://github.com/awsdocs/${GITHUB_REPO}/issues/new) before working on a contribution that will take a significant amount of your time.
37 | 
38 | For contributions that will take a significant amount of time, [open a new issue](https://github.com/awsdocs/${GITHUB_REPO}/issues/new) to pitch your idea before you get started. Explain the problem and describe the content you want to see added to the documentation. Let us know if you'll write it yourself or if you'd like us to help. We'll discuss your proposal with you and let you know whether we're likely to accept it. We don't want you to spend a lot of time on a contribution that might be outside the scope of the documentation or that's already in the works.
39 | 
40 | ## Finding contributions to work on
41 | 
42 | If you'd like to contribute, but don't have a project in mind, look at the [open issues](https://github.com/awsdocs/${GITHUB_REPO}/issues) in this repository for some ideas. Any issues with the [help wanted](https://github.com/awsdocs/${GITHUB_REPO}/labels/help%20wanted) or [enhancement](https://github.com/awsdocs/${GITHUB_REPO}/labels/enhancement) labels are a great place to start.
43 | 
44 | In addition to written content, we really appreciate new examples and code samples for our documentation, such as examples for different platforms or environments, and code samples in additional languages.
45 | 
46 | ## Code of conduct
47 | 
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). For more information, see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact [opensource-codeofconduct@amazon.com](mailto:opensource-codeofconduct@amazon.com) with any additional questions or comments.
49 | 
50 | ## Security issue notifications
51 | 
52 | If you discover a potential security issue, please notify AWS Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public issue on GitHub.
53 | 
54 | ## Licensing
55 | 
56 | See the [LICENSE](https://github.com/awsdocs/${GITHUB_REPO}/blob/master/LICENSE) file for this project's licensing. We will ask you to confirm the licensing of your contribution. We may ask you to sign a [Contributor License Agreement (CLA)](http://en.wikipedia.org/wiki/Contributor_License_Agreement) for larger changes.
57 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Creative Commons Attribution-ShareAlike 4.0 International Public License
  2 | 
  3 | By exercising the Licensed Rights (defined below), You accept and agree to be bound by the terms and conditions of this Creative Commons Attribution-ShareAlike 4.0 International Public License ("Public License"). To the extent this Public License may be interpreted as a contract, You are granted the Licensed Rights in consideration of Your acceptance of these terms and conditions, and the Licensor grants You such rights in consideration of benefits the Licensor receives from making the Licensed Material available under these terms and conditions.
  4 | 
  5 | Section 1 – Definitions.
  6 | 
  7 |      a.	Adapted Material means material subject to Copyright and Similar Rights that is derived from or based upon the Licensed Material and in which the Licensed Material is translated, altered, arranged, transformed, or otherwise modified in a manner requiring permission under the Copyright and Similar Rights held by the Licensor. For purposes of this Public License, where the Licensed Material is a musical work, performance, or sound recording, Adapted Material is always produced where the Licensed Material is synched in timed relation with a moving image.
  8 | 
  9 |      b.	Adapter's License means the license You apply to Your Copyright and Similar Rights in Your contributions to Adapted Material in accordance with the terms and conditions of this Public License.
 10 | 
 11 |      c.	BY-SA Compatible License means a license listed at creativecommons.org/compatiblelicenses, approved by Creative Commons as essentially the equivalent of this Public License.
 12 | 
 13 |      d.	Copyright and Similar Rights means copyright and/or similar rights closely related to copyright including, without limitation, performance, broadcast, sound recording, and Sui Generis Database Rights, without regard to how the rights are labeled or categorized. For purposes of this Public License, the rights specified in Section 2(b)(1)-(2) are not Copyright and Similar Rights.
 14 | 
 15 |      e.	Effective Technological Measures means those measures that, in the absence of proper authority, may not be circumvented under laws fulfilling obligations under Article 11 of the WIPO Copyright Treaty adopted on December 20, 1996, and/or similar international agreements.
 16 | 
 17 |      f.	Exceptions and Limitations means fair use, fair dealing, and/or any other exception or limitation to Copyright and Similar Rights that applies to Your use of the Licensed Material.
 18 | 
 19 |      g.	License Elements means the license attributes listed in the name of a Creative Commons Public License. The License Elements of this Public License are Attribution and ShareAlike.
 20 | 
 21 |      h.	Licensed Material means the artistic or literary work, database, or other material to which the Licensor applied this Public License.
 22 | 
 23 |      i.	Licensed Rights means the rights granted to You subject to the terms and conditions of this Public License, which are limited to all Copyright and Similar Rights that apply to Your use of the Licensed Material and that the Licensor has authority to license.
 24 | 
 25 |      j.	Licensor means the individual(s) or entity(ies) granting rights under this Public License.
 26 | 
 27 |      k.	Share means to provide material to the public by any means or process that requires permission under the Licensed Rights, such as reproduction, public display, public performance, distribution, dissemination, communication, or importation, and to make material available to the public including in ways that members of the public may access the material from a place and at a time individually chosen by them.
 28 | 
 29 |      l.	Sui Generis Database Rights means rights other than copyright resulting from Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, as amended and/or succeeded, as well as other essentially equivalent rights anywhere in the world.
 30 | 
 31 |      m.	You means the individual or entity exercising the Licensed Rights under this Public License. Your has a corresponding meaning.
 32 | 
 33 | Section 2 – Scope.
 34 | 
 35 |      a.	License grant.
 36 | 
 37 |           1. Subject to the terms and conditions of this Public License, the Licensor hereby grants You a worldwide, royalty-free, non-sublicensable, non-exclusive, irrevocable license to exercise the Licensed Rights in the Licensed Material to:
 38 | 
 39 |                A. reproduce and Share the Licensed Material, in whole or in part; and
 40 | 
 41 |                B. produce, reproduce, and Share Adapted Material.
 42 | 
 43 |           2. Exceptions and Limitations. For the avoidance of doubt, where Exceptions and Limitations apply to Your use, this Public License does not apply, and You do not need to comply with its terms and conditions.
 44 | 
 45 |           3. Term. The term of this Public License is specified in Section 6(a).
 46 | 
 47 |           4. Media and formats; technical modifications allowed. The Licensor authorizes You to exercise the Licensed Rights in all media and formats whether now known or hereafter created, and to make technical modifications necessary to do so. The Licensor waives and/or agrees not to assert any right or authority to forbid You from making technical modifications necessary to exercise the Licensed Rights, including technical modifications necessary to circumvent Effective Technological Measures. For purposes of this Public License, simply making modifications authorized by this Section 2(a)(4) never produces Adapted Material.
 48 | 
 49 |           5. Downstream recipients.
 50 | 
 51 |                A. Offer from the Licensor – Licensed Material. Every recipient of the Licensed Material automatically receives an offer from the Licensor to exercise the Licensed Rights under the terms and conditions of this Public License.
 52 | 
 53 |                B. Additional offer from the Licensor – Adapted Material. Every recipient of Adapted Material from You automatically receives an offer from the Licensor to exercise the Licensed Rights in the Adapted Material under the conditions of the Adapter’s License You apply.
 54 | 
 55 |                C. No downstream restrictions. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, the Licensed Material if doing so restricts exercise of the Licensed Rights by any recipient of the Licensed Material.
 56 | 
 57 |           6. No endorsement. Nothing in this Public License constitutes or may be construed as permission to assert or imply that You are, or that Your use of the Licensed Material is, connected with, or sponsored, endorsed, or granted official status by, the Licensor or others designated to receive attribution as provided in Section 3(a)(1)(A)(i).
 58 | 
 59 |      b.	Other rights.
 60 | 
 61 |           1. Moral rights, such as the right of integrity, are not licensed under this Public License, nor are publicity, privacy, and/or other similar personality rights; however, to the extent possible, the Licensor waives and/or agrees not to assert any such rights held by the Licensor to the limited extent necessary to allow You to exercise the Licensed Rights, but not otherwise.
 62 | 
 63 |           2. Patent and trademark rights are not licensed under this Public License.
 64 | 
 65 |           3. To the extent possible, the Licensor waives any right to collect royalties from You for the exercise of the Licensed Rights, whether directly or through a collecting society under any voluntary or waivable statutory or compulsory licensing scheme. In all other cases the Licensor expressly reserves any right to collect such royalties.
 66 | 
 67 | Section 3 – License Conditions.
 68 | 
 69 | Your exercise of the Licensed Rights is expressly made subject to the following conditions.
 70 | 
 71 |      a.	Attribution.
 72 | 
 73 |           1. If You Share the Licensed Material (including in modified form), You must:
 74 | 
 75 |                A. retain the following if it is supplied by the Licensor with the Licensed Material:
 76 | 
 77 |                     i.	identification of the creator(s) of the Licensed Material and any others designated to receive attribution, in any reasonable manner requested by the Licensor (including by pseudonym if designated);
 78 | 
 79 |                     ii.	a copyright notice;
 80 | 
 81 |                     iii. a notice that refers to this Public License;
 82 | 
 83 |                     iv.	a notice that refers to the disclaimer of warranties;
 84 | 
 85 |                     v.	a URI or hyperlink to the Licensed Material to the extent reasonably practicable;
 86 | 
 87 |                B. indicate if You modified the Licensed Material and retain an indication of any previous modifications; and
 88 | 
 89 |                C. indicate the Licensed Material is licensed under this Public License, and include the text of, or the URI or hyperlink to, this Public License.
 90 | 
 91 |           2. You may satisfy the conditions in Section 3(a)(1) in any reasonable manner based on the medium, means, and context in which You Share the Licensed Material. For example, it may be reasonable to satisfy the conditions by providing a URI or hyperlink to a resource that includes the required information.
 92 | 
 93 |           3. If requested by the Licensor, You must remove any of the information required by Section 3(a)(1)(A) to the extent reasonably practicable.
 94 | 
 95 |      b.	ShareAlike.In addition to the conditions in Section 3(a), if You Share Adapted Material You produce, the following conditions also apply.
 96 | 
 97 |           1. The Adapter’s License You apply must be a Creative Commons license with the same License Elements, this version or later, or a BY-SA Compatible License.
 98 | 
 99 |           2. You must include the text of, or the URI or hyperlink to, the Adapter's License You apply. You may satisfy this condition in any reasonable manner based on the medium, means, and context in which You Share Adapted Material.
100 | 
101 |           3. You may not offer or impose any additional or different terms or conditions on, or apply any Effective Technological Measures to, Adapted Material that restrict exercise of the rights granted under the Adapter's License You apply.
102 | 
103 | Section 4 – Sui Generis Database Rights.
104 | 
105 | Where the Licensed Rights include Sui Generis Database Rights that apply to Your use of the Licensed Material:
106 | 
107 |      a.	for the avoidance of doubt, Section 2(a)(1) grants You the right to extract, reuse, reproduce, and Share all or a substantial portion of the contents of the database;
108 | 
109 |      b.	if You include all or a substantial portion of the database contents in a database in which You have Sui Generis Database Rights, then the database in which You have Sui Generis Database Rights (but not its individual contents) is Adapted Material, including for purposes of Section 3(b); and
110 | 
111 |      c.	You must comply with the conditions in Section 3(a) if You Share all or a substantial portion of the contents of the database.
112 | For the avoidance of doubt, this Section 4 supplements and does not replace Your obligations under this Public License where the Licensed Rights include other Copyright and Similar Rights.
113 | 
114 | Section 5 – Disclaimer of Warranties and Limitation of Liability.
115 | 
116 |      a.	Unless otherwise separately undertaken by the Licensor, to the extent possible, the Licensor offers the Licensed Material as-is and as-available, and makes no representations or warranties of any kind concerning the Licensed Material, whether express, implied, statutory, or other. This includes, without limitation, warranties of title, merchantability, fitness for a particular purpose, non-infringement, absence of latent or other defects, accuracy, or the presence or absence of errors, whether or not known or discoverable. Where disclaimers of warranties are not allowed in full or in part, this disclaimer may not apply to You.
117 | 
118 |      b.	To the extent possible, in no event will the Licensor be liable to You on any legal theory (including, without limitation, negligence) or otherwise for any direct, special, indirect, incidental, consequential, punitive, exemplary, or other losses, costs, expenses, or damages arising out of this Public License or use of the Licensed Material, even if the Licensor has been advised of the possibility of such losses, costs, expenses, or damages. Where a limitation of liability is not allowed in full or in part, this limitation may not apply to You.
119 | 
120 |      c.	The disclaimer of warranties and limitation of liability provided above shall be interpreted in a manner that, to the extent possible, most closely approximates an absolute disclaimer and waiver of all liability.
121 | 
122 | Section 6 – Term and Termination.
123 | 
124 |      a.	This Public License applies for the term of the Copyright and Similar Rights licensed here. However, if You fail to comply with this Public License, then Your rights under this Public License terminate automatically.
125 | 
126 |      b.	Where Your right to use the Licensed Material has terminated under Section 6(a), it reinstates:
127 | 
128 |           1. automatically as of the date the violation is cured, provided it is cured within 30 days of Your discovery of the violation; or
129 | 
130 |           2. upon express reinstatement by the Licensor.
131 | 
132 |      c.	For the avoidance of doubt, this Section 6(b) does not affect any right the Licensor may have to seek remedies for Your violations of this Public License.
133 | 
134 |      d.	For the avoidance of doubt, the Licensor may also offer the Licensed Material under separate terms or conditions or stop distributing the Licensed Material at any time; however, doing so will not terminate this Public License.
135 | 
136 |      e.	Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
137 | 
138 | Section 7 – Other Terms and Conditions.
139 | 
140 |      a.	The Licensor shall not be bound by any additional or different terms or conditions communicated by You unless expressly agreed.
141 | 
142 |      b.	Any arrangements, understandings, or agreements regarding the Licensed Material not stated herein are separate from and independent of the terms and conditions of this Public License.
143 | 
144 | Section 8 – Interpretation.
145 | 
146 |      a.	For the avoidance of doubt, this Public License does not, and shall not be interpreted to, reduce, limit, restrict, or impose conditions on any use of the Licensed Material that could lawfully be made without permission under this Public License.
147 | 
148 |      b.	To the extent possible, if any provision of this Public License is deemed unenforceable, it shall be automatically reformed to the minimum extent necessary to make it enforceable. If the provision cannot be reformed, it shall be severed from this Public License without affecting the enforceability of the remaining terms and conditions.
149 | 
150 |      c.	No term or condition of this Public License will be waived and no failure to comply consented to unless expressly agreed to by the Licensor.
151 | 
152 |      d.	Nothing in this Public License constitutes or may be interpreted as a limitation upon, or waiver of, any privileges and immunities that apply to the Licensor or You, including from the legal processes of any jurisdiction or authority.
153 | 


--------------------------------------------------------------------------------
/LICENSE-SAMPLECODE:
--------------------------------------------------------------------------------
 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of this
 4 | software and associated documentation files (the "Software"), to deal in the Software
 5 | without restriction, including without limitation the rights to use, copy, modify,
 6 | merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
 7 | permit persons to whom the Software is furnished to do so.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
10 | INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
11 | PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
12 | HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
13 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
14 | SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 | 


--------------------------------------------------------------------------------
/LICENSE-SUMMARY:
--------------------------------------------------------------------------------
1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. 
2 | 
3 | The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.
4 | 
5 | The sample code within this documentation is made available under the MIT-0 license. See the LICENSE-SAMPLECODE file.
6 | 


--------------------------------------------------------------------------------
/NOTICE:
--------------------------------------------------------------------------------
1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | SPDX-License-Identifier: MIT-0
3 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## Amazon CloudFront Signed URLs using Lambda and Secrets Manager
 2 | 
 3 | Important Update: [Amazon CloudFront announces support for public key management through IAM user permissions for signed URLs and signed cookies](https://aws.amazon.com/about-aws/whats-new/2020/10/cloudfront-iam-signed-url/)
 4 | 
 5 | In this example we provide step-by-step instructions to create **Amazon CloudFront Signed URLs** with both canned and custom policies using:
 6 | - **AWS Lambda** as the execution tool
 7 | - **AWS Secrets Manager** to manage the private signing key for security best practices
 8 | - **Amazon S3** as a restricted content source
 9 | 
10 | Detailed information about:
11 | - [Amazon CloudFront Signed URLs](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html)
12 | - [AWS Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html)
13 | 
14 | **What you will need:**
15 | - An AWS account with an IAM user
16 | - Working knowledge of Amazon IAM, S3, CloudFront, Secrets Managers, and Lambda
17 | - Working knowledge of Node.js
18 | 
19 | Please start with Step 1 to begin the exercise.    
20 | [Step 1: Create Amazon S3 Bucket](1-Create_S3_Bucket/README.md)  
21 | [Step 2: Create Amazon CloudFront Distribution](2-Create_CloudFront_Distribution/README.md)  
22 | [Step 3: Create Amazon CloudFront Key Groups](3-Create_CloudFront_Key_Groups/README.md)  
23 | [Step 4: Create AWS Secrets Manager](4-Create_Secrets_Manager/README.md)  
24 | [Step 5: Create AWS CloudFront SignedURL with Canned Policy](5-Create_CloudFront_SignedURL_Canned/README.md)  
25 | [Step 6: Create AWS CloudFront SignedURL with Custom Policy](6-Create_CloudFront_SignedURL_Custom/README.md)
26 | 


--------------------------------------------------------------------------------