4

I'm working on a system that uses Amazon S3 to store sensitive user media, which users access via a Cloudfront distribution. I'm locking down public access using Cloudfront's query parameter authentication so that we create a secure string using a Cloudfront private key. This auth string can be attached to a Cloudfront URL to allow access only to appropriate S3 resources.

However, I'm a little confused on the best way to distribute this private key amongst my team for development. Usually we would have a secret production key that only works for our production distribution and a less secret development key that works on our staging distributions.

However, the Cloudfront docs indicate that keypairs can only be created by the root AWS user, who is allowed a maximum of 2 keys (for key rotation purposes). At the same time, the docs indicate that you can specify different accounts as trusted signers and limit them to specific distributions. If this is true, I believe I could lock down specific distributions to keys created by specific users.

Can anyone help me understand:

  1. if the root user is actually the only user that can create cloudfront key pairs? (Maybe through Organizations, I can create other non-IAM, root-like users?)
  2. how we might create a development key pair that only allows access to our development distributions?

Thanks for the help!

dwat
  • 312
  • 2
  • 6
  • 14

1 Answers1

1

I was able to get this working by doing the following:

  1. I created another non-IAM account in my Organization from the primary root user.
  2. From there, I logged into this account to generate and download a new Cloudfront keypair.
  3. To ensure this new keypair could only be used with the Cloudfront distribution(s) I wanted, I did the following for each of my distributions:
    1. Visited the Behaviors tab > Edit
    2. Checked Specify Accounts under Trusted Signers
    3. Entered only the account number of the root user I wanted to allow access for into AWS Account Numbers"

I hope this clears up the process for someone else!

dwat
  • 312
  • 2
  • 6
  • 14
  • 2
    This is not recommended approach, due to the fact that you need to create key pair id using root account. Recommended approach is to use trusted groups instead. – cool Mar 23 '21 at 22:30