Search code examples
aws-cloudformationamazon-cloudfrontserverless

Create CloudFront distribution that accepts only signed URL’s with serverless

I want to create a web cloudFront distribution that can be accessed only using signed URL's.

On creating the distribution manually, there is an option Restrict Viewer Access under the Default Cache Behavior Settings.

enter image description here

I want to create the distribution using the serverless framework but I can't find the CloudFormation attribute for the Restrict Viewer Access property.

enter image description here

Solution

  • The documentation is totally not clear on this one. If the signing keys are in the same account you are deploying the CloudFront Distribution to you just need:

        TrustedSigners:
      - self

    Note sometime in late 2020 CloudFront provided a way to create signing keys that does not involve using the AWS account root user. See these docs for more information. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#choosing-key-groups-or-AWS-accounts