0

Let's say I generated a signed url as follows:

https://myapp.mydomain.net/media/comicCon.jpg?Key-Pair-Id=XXXXXXXXXXXX&Signature=SomeSignature&Expires=1573770000

I have this image on a page in myapp.
Somebody that is logged into myapp could view source and copy the signed url, passing it around to their friends?

I don't want to allow this.

I know you can set short expires and ip address ranges but they are not an option.

Maybe I need to generate a private key every time someone logs into myapp and pass this to call to generate signed url?

Am I missing something obvious about how CloudFront works?

We have actually moved to signed cookies instead and can limit by ip. Created new question here for problem with creating signed cookie limited by ip.

Thomas Buckley
  • 5,836
  • 19
  • 62
  • 110
  • I think based on this answer by @JohnRotenstein, that they can be limited by time/ip only. https://stackoverflow.com/questions/30609663/aws-s3-the-security-of-a-signed-url-as-a-hyperlink – Thomas Buckley Apr 04 '18 at 13:12
  • *"I know you can set short expires and ip address ranges but they are not an option."* Why not? You generate the signed links while rendering the page, specifically for that user from their current IP address. – Michael - sqlbot Apr 06 '18 at 02:46
  • With CloudFront, you can also embed extra "tattle-tale" info in the signed URL, with arbitrary `x-...` parameters e.g. `?x-authorized-site-user=John+Smith&...`. CloudFront doesn't understand them, so they have no function, yet if you add them before signing, they are automatically mandatory and immutable: if the user tries to modify them before sharing, the signature no longer matches and the link is unusable -- signed URLs can't be modified by the user. These values can be used to "discourage" sharing, and they are logged in the CloudFront access logs. – Michael - sqlbot Apr 06 '18 at 02:49
  • @Michael-sqlbot I jumped the gun thinking we could not limit based on ip address, we can. Actually using signed cookies instead. For some reason using ip address/range in call doesn't seem to work. See updated question.. – Thomas Buckley Apr 17 '18 at 08:13

0 Answers0