AWS CloudFront
CloudFront Signed URL / Signed Cookies
- Say you wanted to distribute paid shared content to premium users over the world, the content lives int AWS S3.
- If AWS S3 can only be accessed through CloudFront, we cannot use self-signed S3 URLS
- We can use CloudFront signed URLs. We attach a policy with:
- Included URL expiration
- Include IP ranges to access data from
- Trusted signers (which AWS accounts can create signed URLs)
- CloudFront signed URL can only be created using the AWS SDK, so you have to code an application to verify users and generate these URLs
- How long should the url be valid for?
- Shared content (movie, music): make it short (a few minutes)
- Private content (private to the user): you can make it last for years
- CloudFront
- Global [[Edge Network]]
- Files are cached for a TTL (maybe a day)
- Great for static content that must be available everywhere
- Geo Restriction - you can restrict who can access your distribution
- Whitelist - allow your users to access your content only if they're in one of the countries on a list of approved countries
- Blacklist - prevent your users from accessing your content if they're in one of the countries on a blacklist of banned countries.
- The country is determined by using a 3rd party Geo-IP database
- Use case - copyright laws to control access to content
- S3 Cross Region replication
- Must be setup for each region you want replication to happen
- Files are updated in near real-time
- Read only
- Great for dynamic content that needs to be available at low latency in few regions