Can cloudfront signed url be generated from signed cookie data?

1
votes

Can cloudfront signed url be generated from signed cookie data?

I have a signed url that downloads private content

http://1234.cloudfront.net/myfile.txt?response-content-disposition=attachment%3Bfilename%3Dfoobar.json&Expires=1510111000&Signature=someRandomSignature&Key-Pair-Id=MY-KEY-PAIR

Signed URL works fine.

Now, I'm trying to generate a signed cookie way of exposing private content so I had the following cookies added to my response object (in Spring/JAVA):

Cookie expiresCookie = new Cookie("CloudFront-Expires", "1510111000");
Cookie signatureCookie = new Cookie("CloudFront-Signature", "someRandomSignature");
Cookie keyPairCookie = new Cookie("CloudFront-Key-Pair-Id", "MY-KEY-PAIR");

Once the client gets these cookies, can't it (the client) generate the signed url and share the url to parties that shouldn't access it?

enter image description here

1
amazon-web-servicescookiescdnamazon-cloudfrontamazon-signed-cookie

1 Answers

2
votes

While this is certainly possible, CloudFront signed URLs/cookies mechanism allows server generating signature to lock access only to clients coming from certain IP addresses using IpAddress policy field per CloudFront developer documentation:

IpAddress (Optional)

The IP address of the client making the GET request. Note the following:

  • To allow any IP address to access the object, omit the IpAddress parameter.
  • You can specify either one IP address or one IP address range. For example, you can't set the policy to allow access if the client's IP address is in one of two separate ranges.
  • To allow accessfrom a single IP address, you specify: "IPv4 IP address/32"
  • You must specify IP address ranges in standard IPv4 CIDR format (for example, 10.52.176.0/24). [...]

If server generated the signed URL or cookie with IpAddress set, other parties would be only allowed to access contents on CloudFront if they come from the matching IP address.