I am hosting micro-frontends on S3 behind Cloudfront. I do not want people to access static files through direct URL. I was looking for solution and found we can protect through access token which can be validated by Lambda@Edge. I don't want Lambda@Edge to check if user is authenticated for each file as there will be multiple static files used by actual website and for each file if Lambda validates the token, it will become slow.
Asked
Active
Viewed 38 times
1
-
1You can restrict access to your content in S3 bucket by configuring the user access to your content through CloudFront URLs. This requires giving CloudFront the access control permission to read the files in the S3 bucket. More information can be found [here](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-overview.html). Ensure your S3 bucket is private. – SwathiP Jul 25 '23 at 17:58
-
@SwathiP - That still does not prevent user from getting content directly via CloudFront URL though – Tofig Hasanov Jul 26 '23 at 04:13
1 Answers
1
You can use signed cookies approach to protect all restricted content on your CloudFront distribution. Your application will need to set the cookie once and then pass it as headers to all requests to CloudFront. See official docs for details.
Lambda@Edge approach can also work in your case as it does not need to be slow. If you have multiple resources, they can be retrieved in parallel, so latencies should not compound.

Tofig Hasanov
- 3,303
- 10
- 51
- 81
-
CloudFront Functions can further reduce latency as it will run on the machines caching your content at the real edge. – MarcC Jul 26 '23 at 19:41