I'd like to protect Amazon CloudFront content with my custom application specific authorization logic.
For example, for authentication purpose I may use Amazon Cognito
and Amazon CloudFront
with AWS Lambda@Edge
approach which will inspect every incoming request to CloudFront and ensure that request has a valid JWT token.
But how about the authorization part?
According to the application business logic, every single authenticated user should not have the access to the same resources.
How and where to check that a user with a valid JWT token has the access (according to the application business logic) to the requested Amazon CloudFront content?
Should such authorization logic be included in the Lambda@Edge
handler also?
CodePudding user response:
Yeah, the Lambda@Edge
can be used to authorize the user to access a resource behind CloudFront.
And the authorization can be done with the Amazon Cognito User Pool
service.
You flow will be similar the following one:
Here is a example of how to this: Secure Your Static Website with AWS CloudFront and Lambda
Check this blogpost to understand more about this process: Authorization@Edge Protect your Amazon CloudFront content from being downloaded by unauthenticated users.