We have an Elastic Beanstalk instance that serves our PHP website (example.com). We just added an S3 bucket which serves a different static website (static.com).
The EB website (example.com) requires specific credentials which are supplied to the end-user for logging in. We would like to have the S3 website (static.com) only viewable to the logged-in users of the EB website (example.com) .
Use Cases:
A user is logged into “example.com”. Within the site there would be links to the files on “static.com”. Clicking on these links would take the user to the files on “static.com” and they could navigate around that site.
Someone has a URL to a page on “static.com”. Maybe someone shared that URL with them (that is expected behavior). When they attempt to load that URL in a browser, they are redirected to the login screen of “example.com” to login.
What is the best, and easiest, way to accomplish this? Cookies, Cloudfront, Lamda functions? “Signed URLs” sounded like a possible avenue, but the URLs cannot change over time. This is a requirement in case users do share the URLs (which is expected and ok). Example: Hey Johnny, check out the information at "static.com/docs/widget_1.html"
If you have private content, CloudFront signed URLs are the right choice to generate unique URLs for authenticated users of your application for a limited time. Each time a user loads a page, you generate new short-lived URLs.
If you'd like to enable someone to share links, one option is to provide users with a share option in your application that generates a SignedURL with a longer TTL of a fixed amount (e.g., 3 days) for sharing. Or enables the user to select the length of time the shareable link should be valid, with a maximum allowed time period of x hours/days. If the link expires, they can generate a new one in the application.