Tag Archives: Private Content

How to Grant Permissions to CloudFront Origin Access Identity Using Bucket Policies and CloudBerry S3 Explorer

As always we are trying to stay on top of the new functionality offered by Amazon S3  to offer the most compelling Amazon S3 and CloudFront client on Windows platform. Continue reading

How to Configure Private Content for CloudFront Streaming with CloudBerry S3 Explorer

The CloudFront team recently introduced a set of features that would allow you to secure content streamed through Amazon CloudFront. Private content features for streaming distributions give customers more control over who can and who cannot view content streamed with the service. Continue reading

How to create CloudFront Private URLs using Canned Policy

This is a second article related to a CloudFront Private Content feature that allows you to restrict the access to your content. Apparently, the CloudFront private content configuration is not straightforward and involves many steps as described in our previous post. You have to configure your distribution to support private content, generate keys, create policies and finally sign URLs. CloudFront users wanted something simple similar to Amazon S3 Query String authentication.

Coming Canned Policies

The CloudFront team have been quick to react on user feedback and introduced so-called Canned Policies. Canned Policies, unlike Custom Policies, are generated automatically, depending on the resource you want to generate the signed URL for and the expiration time. In this case, the expiration time is passed as a query string parameter in the URL:

Creating Canned Policies with CloudBerry Explorer

First, you have to create the canned policy. Got to Tools | Policies in the program menu to open Add New Policy dialog. Choose Canned Policy as shown on the screen. See how IP Range and Resource Mask fields become disabled.


Specify Private Key file and Key pair ID. Click ok to create the canned policy.

Note: Amazon CloudFront checks the signature with a public key that is stored in Amazon (it can be uploaded if you use your own private key, or created by Amazon if you use Amazon’s key generator).For Amazon to know with which key it should check the signature, the Key Pair Id is passed in the URL as a parameter.

Generating URLs using a Canned Policy

There is nothing new to Generate Web URL dialog. It is just that you have to choose the canned policy in the list.


Note: The policy is placed in WebURL as a query parameter (url-safe Base64-encoded). Only accounts set up as a Trusted Signer for a distribution can sign the Policy. Otherwise, the signed URL will not be valid.

What’s next

We are going to make it even easier to generate protected URLs using Canned Policies in the future release. You won’t have to create a canned policy separately and you will be able to generate URL right on the Web URL screen. Stay tuned!

Note: this post applies to CloudBerry Explorer 1.6.5 and later.

How To Run CloudFront Private Content with CloudBerry S3 Explorer

CloudBerry S3 Explorer is by far the most popular Amazon S3 and CloudFront manager on Windows platform.At the same time Amazon rapidly enhance their services to meet growing customer expectations.To maintain our leadership position we are trying to say on top of Amazon developments and support all recent enhancements in CloudBerry Explorer.
Continue reading