download free 30 days trial version buy bucket explorer
Documentation  Download  Purchase  Support  FAQs   Forum   ScreenShots & Demos

CloudFront - How to Create Private Distribution (POST Distribution with Origin Access Identity and AWS Trusted Signers)?

In Amazon CloudFront, your content is organized as "Distributions". A distribution is a link between an Amazon S3 bucket (the origin server) and a domain name (assigned by Amazon CloudFront ), and it tells you what are the locations of the original versions of your files. You can use this new domain name in place of the standard Amazon S3 references to reference your Objects through AWS's network of edge locations.

You can create distributions to download your content using the HTTP or HTTPS protocols. You can also create distributions to stream your content using the RTMP protocol. Public Distribution has "All User" read permission, but if you want to restrict who can access your objects, then you can do it by creating Private Distribution.

With CloudFront, you can combine the origin running from inside of AWS as well as outside of AWS.

You can create Private CloudFront Distribution and register your Origin Servers with CloudFront by sending an HTTP POST Request to the AWS Server. You have two ways to send the HTTP POST Request:

1) Create Private CloudFront Distribution using Amazon CloudFront API- POST Distribution- If you are a programmer, you can write your own code to use CloudFront API in your own code.

2) Create Private CloudFront Distribution using Bucket Explorer UI - If you do not want to write any code, you can create Private CloudFront Distributions using Bucket Explorer User Interface with point and clicks.

Create Private Distribution using Amazon CloudFront API POST Distribution:

Once you've stored your objects in your origin server (Amazon S3 Bucket), you need to create a Private Distribution, which is a link between an Amazon S3 bucket (the origin server) and a CloudFront domain name (which Amazon CloudFront automatically assigns) in order to make Amazon CloudFront recognize your objects and restrict who can access your objects. To create a Private Distribution, you need to set some additional configuration in which you specify OriginAccessIdentityID and AWS Trusted Signers with other distribution configuration i.e. Bucket name, CNAME(s), Comment and Enable/Disable. In configuration, CNAME(s) and Comment are optional. After that, you can set the ACL on your objects so that only you and CloudFront have read permission on the objects. This means that end user can access the objects only through CloudFront. You can also produce special signed URLs for particular end users whom you want to give access to.
  • Origin Access IdentityID: An authenticated virtual identity to fetch private objects from your origin server.
  • Trusted Signers: It is a list of AWS user's Account Numbers (other than yours) whom you want to give signing authority.

1. Create Private Download Distribution Using CloudFront API POST Distribution

Creating private distribution needs to set some additional configuration in which you specify OriginAccessIdentityID and AWS Trusted Signers with other distribution configuration XML. Here is a sample of code :

Syntax:


PUT /2013-05-12/distribution/ distribution ID /config HTTP/1.1
Host: cloudfront.amazonaws.com
If-Match: value from ETag header in previous GET response
Authorization: AWS authentication string
Other required headers

<?xml version="1.0" encoding="UTF-8"?>
<DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2013-05-12/">
<CallerReference> unique description for this
distribution config </CallerReference>
<Aliases>
<Quantity> number of CNAME aliases </Quantity>
<!-- Optional. Omit when Quantity = 0. -->
<Items>
<CNAME> CNAME alias </CNAME>
</Items>
</Aliases>
<DefaultRootObject> URL for default root object </DefaultRootObject>
<Origins>
<Quantity> number of origins </Quantity>
<Items>
<Origin>
<Id> unique identifier for this origin </Id>
<DomainName> domain name of origin </DomainName>
<!-- Include the S3OriginConfig element only if
you use an Amazon S3 origin for your distribution. -->
<S3OriginConfig>
<OriginAccessIdentity>origin-access-identity/
cloudfront/ ID </OriginAccessIdentity>
</S3OriginConfig>
<!-- Include the CustomOriginConfig element only if
you use a custom origin for your distribution. -->
<CustomOriginConfig>
<HTTPPort> HTTP port that the custom origin
listens on </HTTPPort>
<HTTPSPort> HTTPS port that the custom origin
listens on </HTTPSPort>
<OriginProtocolPolicy>http-only |
match-viewer</OriginProtocolPolicy>
</CustomOriginConfig>
</Origin>
</Items>
</Origins>
<DefaultCacheBehavior>
<TargetOriginId> ID of the origin that the default cache behavior
applies to </TargetOriginId>
<ForwardedValues>
<QueryString>true | false</QueryString>
<Cookies>
<Forward>all | whitelist | none</Forward>
<!-- Required when Forward = whitelist,
omitted otherwise. -->
<WhitelistedNames>
<Quantity> number of cookie names to
forward to origin </Quantity>
<Items>
<Name> name of a cookie to forward to
the origin </Name>
</Items>
</WhitelistedNames>
</Cookies>
</ForwardedValues>
<TrustedSigners>
<Enabled>true | false</Enabled>
<Quantity> number of trusted signers </Quantity>
<!-- Optional. Omit when Quantity = 0. -->
<Items>
<AwsAccountNumber>self | AWS account that can create
signed URLs </AwsAccountNumber>
</Items>
</TrustedSigners>
<ViewerProtocolPolicy>allow-all |
https-only</ViewerProtocolPolicy>
<MinTTL> minimum TTL in seconds </MinTTL>
</DefaultCacheBehavior>
<CacheBehaviors>
<Quantity> number of cache behaviors </Quantity>
<!-- Optional. Omit when Quantity = 0. -->
<Items>
<CacheBehavior>
<PathPattern> pattern that specifies files that this
cache behavior applies to </PathPattern>
<TargetOriginId> ID of the origin that this cache behavior
applies to </TargetOriginId>
<ForwardedValues>
<QueryString>true | false</QueryString>
<Cookies>
<Forward>all | whitelist | none</Forward>
<!-- Required when Forward = whitelist,
omitted otherwise. -->
<WhitelistedNames>
<Quantity> number of cookie names to forward
to origin </Quantity>
<Items>
<Name> name of a cookie to forward to
the origin </Name>
</Items>
</WhitelistedNames>
</Cookies>
</ForwardedValues>
<TrustedSigners>
<Enabled>true | false</Enabled>
<Quantity> number of trusted signers </Quantity>
<!-- Optional. Omit when Quantity = 0. -->
<Items>
<AwsAccountNumber>self | AWS account that can create
signed URLs </AwsAccountNumber>
</Items>
</TrustedSigners>
<ViewerProtocolPolicy>allow-all |
https-only</ViewerProtocolPolicy>
<MinTTL> minimum TTL in seconds for files
specified by PathPattern </MinTTL>
</CacheBehavior>
</Items>
</CacheBehaviors>
<Comment> comment about the distribution </Comment>
<Logging>
<Enabled>true | false</Enabled>
<IncludeCookies>true | false</IncludeCookies>
<Bucket> Amazon S3 bucket to save logs in </Bucket>
<Prefix> prefix for log filenames </Prefix>
</Logging>
<ViewerCertificate>
<IAMCertificateId> IAM certificate ID </IAMCertificateId> |
<CloudFrontDefaultCertificate>true</CloudFrontDefaultCertificate>
</ViewerCertificate>
<PriceClass> maximum price class for the distribution </PriceClass>
<Enabled>true | false</Enabled>
</DistributionConfig>
 

2. Create Private Download Distribution Using Bucket Explorer


Steps to create private distribution with Bucket Explorer -

  1. Run Bucket Explorer.
  2. Choose "Distribution → List Distribution" icon in Bucket table toolbar or right click on any bucket and select "Manage Distribution" option.
  3. It will display a "List distribution" window with the list of already created distributions.
  4. To create new distribution, choose "New" icon in toolbar of List distribution window.
  5. It will open a new window to create distribution. Select Download Distribution and click on Next.
  6. Now you get General Distribution Details panel.
  7. Fill in here details like: Default Root Object , CName, Price Class, Comments, set logging with Include Cookies. Then click on Next.
  8. Now you get Origin panel.
  9. Here, select S3 Bucket from the list and insert Origin Access Identity details. You can use the Existing Access Identity details or generate a new one.
    (To create Private Distribution, Origin Access Identity details is needed; otherwise it'll create Public Distribution.)
  1. Then click on Add button to add the details in the below table. Then click on next button.
  2. Now you get Cache Behavior Details panel.
  3. Fill in here details like:
    1. Enter Path pattern.
    2. Add AWSAccountNumber in Trusted Signers list.
    3. Viewer Protocol policy : Allow all or Https only.
    4. Set Min TTL.
    5. Select Query String as ON or OFF
    6. Select Forward Cookies Option - All , WhiteList or None
    7. Select the Make it Default check box.
    8. Then click on Add button to add such details in below table.
  4. Now click on Create button to create Private Distribution.

Note:- You can add multiple Origin Details (S3 or Non-S3) in Distribution.