Currently, I have public s3 bucket for download csv and media using cloud front URLs. But its time to make private accessible bucket URLs by users wise. it means user A can not access URL of user B's media of bucket. As google say can possible with IAM user ACL policy for each one. but there are 1000 users on live already for application so its it's not worth to make IAM policy for each users.
Can any good solution to make it private without using IAM concept? In my application, each user have authentication. so, can we use cookie for the solution?. Really I am new to AWS it would appreciate your guidance.
CodePudding user response:
You can make this work by using: Cloudfront Signed URL Cloudfront Functions Cookies.
Step 1: Setup CloudFront Signed Url. This AWS Doc explains how to do it. The gist of it is that you provide keys to CloudFront to verify the signature in the url.
Step 2: Create a CloudFront function and assign it to your CloudFront distribution.
Step 3: Only allow signed requests to your CloudFront distribution.
Step 4: Send cookies or specific header values that include some user identifier (ex: user guid/uuid)
Step 5: In your CloudFront function, verify that the user making the request has access to the object. The easiest way to do this is to have an S3 file structure that includes your identifier in the path. For example, if a csv file is saved under s3://your-bucket/id123/a.csv
, then verify that the header/cookie include id123
as the identifier. Check CloudFront Functions event structure
Step 6: If there isn't a match, deny the request.