Amazon CloudFront Key Group Signed URL Sample

This sample demonstrates how to create Amazon CloudFront signed urls using CloudFront Key Groups and CloudFront Public Keys.

Architecture

1. The admin user will invoke the rotate keys AWS Lambda when required.
2. The rotate keys AWS Lambda will use the current symmetric key from AWS Key Management Service to call GenerateDataKeyPair which will be converted to PEM format
3. The generated private key PEM is stored in AWS Secrets Manager to be used later when signing URLs
4. The generated public key PEM is stored as a CloudFront Public key. The CloudFront Key Group is also updated with the new Public key.
5. The admin user will invoke the sign url AWS Lambda to generate a CloudFront signed url for each file required by the end user.
6. The sign url AWS Lambda will request the current private key PEM file from AWS Secrets Manager
7. The sign url AWS Lambda will get the current public key from the associated Amazon CloudFront distributions key group and sign the url
8. The admin user will send the signed url to the user
9. The user will access the signed url through Amazon CloudFront
10. Amazon CloudFront validates the signed url and access the Amazon S3 bucket returning the results to the user

Requirements

1. AWS Cloud Development Kit (CDK) 2.53.0 or higher
2. AWS CLI for testing commands

Setup

1. Git clone this repository
2. From the root folder for this project run npm ci to install all packages required
3. From the root folder for this project run cdk deploy to deploy

Running

1. Once deployed the CloudFormation stack will create two outputs RotateKeysLambdaInvokeCommand and SignUrlLambdaInvokeCommand. These outputs are the cli commands to rotate the keys and to sign a url.
2. The CloudFormation deployment will perform the initial key rotation by invoking RotateKeysLambdaInvokeCommand.
3. To test the creation of a signed url please copy the SignUrlLambdaInvokeCommand cli command into your console and run. This command will produce an output with a signed url. Copy the signed url into your browser of choice to view the 'Hello World' example page via a signed url.
4. The second output RotateKeysLambdaInvokeCommand can run via your console to invoke the key rotation lambda.

Useful commands

• npm run build compile typescript to js
• npm run watch watch for changes and compile
• npm run test perform the jest unit tests
• cdk deploy deploy this stack to your default AWS account/region
• cdk diff compare deployed stack with current state
• cdk synth emits the synthesized CloudFormation template

Resource Cleanup

1. From the root folder for this project run cdk destroy

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.