CloudBerry Lab Resources
Get started with cloud backup and management solutions
default featured image

How To Run CloudFront Private Content with CloudBerry S3 Explorer

CloudBerry S3 Explorer is by far the most popular Amazon S3 and CloudFront manager on Windows platform.At the same time Amazon rapidly enhance their services to meet growing customer expectations.To maintain our leadership position we are trying to say on top of Amazon developments and support all recent enhancements in CloudBerry Explorer.

Today the CloudFront team introduced a new exciting capability that will help to protect your content on the distributions. You might want to use CloudFront to deliver a digital asset you’ve sold online, or use it to distribute objects only to your company’s employees. In these circumstances, you need detailed control over who can download your “private” content. As a result, today Amazon added an ability to handle private content in Amazon CloudFront.

How CloudBerry Explorer supports CloudFront Private Content?

First, you have to configure a distribution to serve private content. You can configure an existing distribution or a new distribution, but a distribution should be created before you configure private content. Check out here to learn how to create a CloudFront distribution.

To configure a distribution for private content click on the distribution properties on the toolbar on in the content menu and go to the Private Content tab.


Click the checkbox to enable Private Content. Now there are a few things that might confuse you at first.

Origin Access Identity: this is a "virtual" user that is used for managing permissions. Since you are able to restrict access you need to set permissions for objects. But for whom? Amazon provides some "virtual" users for this purpose. The Origin Identity that you see CloudBerry Explorer generates for you automatically as you should have at list one. You can also generate them using CloudFront API.

Identity S3 canonical user ID. This is the user ID that you can use in ACL editor to grant permissions. It is associated with the Origin Access Identity.

Trusted Signers:
You can only obtain the access to objects with signed URLs.
Trusted signers are Amazon S3 accounts numbers of users who can generate signed URLs. If one of them will generate a signed URL with his private key, it will be valid. If someone else tries to generate signed URL - it will be invalid.

To find your account number go to Your Account | Account Activity on AWS website. Look for Account Number as shown on the screen:


Add myself to trusted signers: by default you are not added to Trusted Signers. So if you want to generate signed URLs you have to check it.

Granting permissions to origin access identity

Notice that ACL dialog has been extended to include Origin Access Identity account automatically for CloudFront distributions configured for Private Content, You have to grant Read access to CloudFront Origin Access Identity account to make the files available for Private Distribution.


Update: There is now a more advanced way to grant Origin Access Identity access to the files in the bucket. You can configure the Bucket Policy to always grant Read access to Origin Access Identity. Read our recent blog post for details.

Security Policies

Before we go any further we have to learn what Security Policy is. Click Tools | Policies in the program menu to open policies window and click New Policy. It helps you to create the policy which will basically define an IP range and address range to limit access to your private content.

Specify a path to your Private Key file in the private key field. This key will be used to sign the Policy.

Key Pair ID is something you will get from Amazon when you generate a Key Pair using Amazon web interface our upload your own key.

The policy on the screen below will grant access to every IP address and to every file in your bucket HTTP://*


Note: that the policies are stored locally on your computer. So if you run CloudBerry Explorer on another computer or somebody else manage your S3 account the policies are not shared.

What is Private Key and how I can get it?

The private key - is the file in PEM format. The key pair (public (for Amazon to check your signature) + private (to be stored securely on your computer)) can be generated by Amazon on your account page.

If you already have a key pair, you can upload the PUBLIC key to Amazon S3 (using your account web interface), and use your PRIVATE key to sign the URLs.

Using a Key Pair Generated by AWS

If you don't already have key pair, you can have AWS generate a pair and automatically associate the public key with your AWS account.

To have AWS create a key pair for you

1. Go to the Amazon Web Services web site at

2. Point to Your Account and click Security Credentials.

3. Log in to your AWS account.

The Security Credentials page is displayed.

4. In the Access Credentials section of the page, click the Key Pairs tab.

5. Click Create a New Key Pair.

Your new public and private key are generated, along with an ID for the key pair. Amazon keeps the public key and gives you the private key.

6. From the dialog box, download your private key file to a local directory, and record the corresponding key ID.

Here's how it looks like


Important: If you're an Amazon EC2 user, you probably already have at least one other key pair, which you use to connect to your instances through SSH or Windows Remote Desktop. your amazon EC2 key pairs work only with Amazon EC2, and your Amazon CloudFront keys work only with CloudFront. You can't use the private key from one service with the other service.

To upload your own public key

1. Go to the Amazon Web Services web site at

2. Point to Your Account and click Security Credentials.

3. Log in to your AWS account. The Security Credentials page is displayed.

4. In the Access Credentials section of the page, click the Key Pairs tab.

5. Click Upload Your Own Public Key.

6. Follow the instructions presented to upload your public key.

Note: CloudBerry Explorer also supports PKCS#8 non-encrypted keys that start with


How to generate a Private Content URL?

Generate Web Url dialog has been extended. The new option only shows up when creating a URL for objects residing on CloudFront Distributions configured for Private Content.


We hope CloudFront Private Content support in CloudBerry Explorer will make it easier to explore the new CloudFront functionality and make CloudBerry Explorer your tool of choice for managing S3 and CloudFront.

Note: this post applies to CloudBerry Explorer 1.7 and later.

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)