This is a second article related to a CloudFront Private Content feature that allows you to restrict the access to your content. Apparently, the CloudFront private content configuration is not straightforward and involves many steps as described in our previous post. You have to configure your distribution to support private content, generate keys, create policies and finally sign URLs. CloudFront users wanted something simple similar to Amazon S3 Query String authentication.
Coming Canned Policies
The CloudFront team have been quick to react on user feedback and introduced so-called Canned Policies. Canned Policies, unlike Custom Policies, are generated automatically, depending on the resource you want to generate the signed URL for and the expiration time. In this case, the expiration time is passed as a query string parameter in the URL:
Creating Canned Policies with CloudBerry Explorer
First, you have to create the canned policy. Got to Tools | Policies in the program menu to open Add New Policy dialog. Choose Canned Policy as shown on the screen. See how IP Range and Resource Mask fields become disabled.
Specify Private Key file and Key pair ID. Click ok to create the canned policy.
Note: Amazon CloudFront checks the signature with a public key that is stored in Amazon (it can be uploaded if you use your own private key, or created by Amazon if you use Amazon’s key generator).For Amazon to know with which key it should check the signature, the Key Pair Id is passed in the URL as a parameter.
Generating URLs using a Canned Policy
There is nothing new to Generate Web URL dialog. It is just that you have to choose the canned policy in the list.
Note: The policy is placed in WebURL as a query parameter (url-safe Base64-encoded). Only accounts set up as a Trusted Signer for a distribution can sign the Policy. Otherwise, the signed URL will not be valid.
We are going to make it even easier to generate protected URLs using Canned Policies in the future release. You won’t have to create a canned policy separately and you will be able to generate URL right on the Web URL screen. Stay tuned!
Note: this post applies to CloudBerry Explorer 1.6.5 and later.
CloudBerry S3 Explorer is by far the most popular Amazon S3 and CloudFront manager on Windows platform.At the same time Amazon rapidly enhance their services to meet growing customer expectations.To maintain our leadership position we are trying to say on top of Amazon developments and support all recent enhancements in CloudBerry Explorer.