This should be easy but I can't find anything on it. I have a mapping application which has a vast number of map tiles. I was looking at hosting all the tiles in an amazon S3 bucket to make them closer to the users but only want users of my web page to access them.
So, I've created the bucket, I've got a IAM user with read access to the bucket, how do I authenticate the client browser requests to get the files?
I could create a signed URL on the server side for each file but users could be making loads of requests a second and by the time I've sent back the signed URL I might as well have just sent the file, plus then we lose caching.
The users are locally authenticated. I don't want the secret key sent to the client.
CloudFront signed cookies allow you to control who can access your content when you don't want to change your current URLs or when you want to provide access to multiple restricted files, for example, all of the files in the subscribers' area of a website.
Unlike S3 pre-signed URLs, CloudFront signed cookies (as well as CloudFront signed URLs) allow you to create one signed policy that allows users to access protected content matching a wildcard, for example, https://assets.example.com/data/*.
The signed cookie (which is actually 3 cookies that work together) tells CloudFront to allow the browser that access to the requested object is allowed.
CloudFront is integrated with S3 using an object called an origin access identity. When S3 is configured behind CloudFront, once CloudFront verifies that the request is authorized (either via CloudFront signed cookies, a CloudFront signed URL, or a Cache Behavior that is configured not to restrict bucket access), the origin access identity's credentials are used to sign a request and send it to S3 to fetch the object, assuming the requesting CloudFront edge does not already have the object cached.
By using the origin access identity -- which you grant permission to read from the bucket, in the bucket policy -- CloudFront is then able to read non-public objects from the bucket, and serve them back to the authorized requester.
The credentials used to sign the cookies are not IAM credentials -- a separate set of credentials is associated with the origin access identity.
Since the signed URL that CloudFront generates and sends to S3 is not visible to the browser (this is all done on the back-end), it doesn't negatively impact browser cacheability of the objects the way using an S3 signed URL could.
Review the CloudFront and S3 pricing tables to familiarize yourself with the impact on S3 pricing when using CloudFront with S3. There are a number of variables involved since CloudFront has geographic pricing that uses different regional boundaries from the rest of AWS. CloudFront has its own costs but will substantially reduce the cost of S3, sometimes resulting in the costs of CloudFront+S3 being slightly lower than the cost of using S3 alone (presumably this is because moving traffic from the AWS core to the edge represents a cost savings to Amazon, which is built into the price structure).