1
00:00:00,000 --> 00:00:02,490
‫So say you have a CloudFront distribution

2
00:00:02,490 --> 00:00:03,900
‫and you wanna make it private

3
00:00:03,900 --> 00:00:05,700
‫and you want to give access to people

4
00:00:05,700 --> 00:00:08,940
‫to premium paid shared content all over the world.

5
00:00:08,940 --> 00:00:12,210
‫But you want to be able to see and know who has access

6
00:00:12,210 --> 00:00:14,190
‫to what on your CloudFront distribution.

7
00:00:14,190 --> 00:00:16,200
‫For this, you can use a CloudFront signed URL

8
00:00:16,200 --> 00:00:18,120
‫or a signed cookie and not tell the difference

9
00:00:18,120 --> 00:00:20,280
‫of SAML and cookie at the very end of this slide.

10
00:00:20,280 --> 00:00:22,710
‫So first, when we create a URL and a cookie,

11
00:00:22,710 --> 00:00:24,000
‫you need to attach a policy

12
00:00:24,000 --> 00:00:28,050
‫and you need to tell when does the URL or the cookie expire.

13
00:00:28,050 --> 00:00:30,660
‫What IP ranges can access this data from?

14
00:00:30,660 --> 00:00:32,940
‫So if you know the target IP of your clients,

15
00:00:32,940 --> 00:00:34,650
‫then you should definitely use that.

16
00:00:34,650 --> 00:00:35,610
‫And the trusted signers,

17
00:00:35,610 --> 00:00:38,580
‫so which address accounts can create signed URLs

18
00:00:38,580 --> 00:00:40,080
‫for your users.

19
00:00:40,080 --> 00:00:40,987
‫Then you can ask me,

20
00:00:40,987 --> 00:00:42,960
‫"How long should this URL be valid for?"

21
00:00:42,960 --> 00:00:45,240
‫Well, if you're sharing a content, for example,

22
00:00:45,240 --> 00:00:47,130
‫a movie, or music, you can make it very short,

23
00:00:47,130 --> 00:00:48,210
‫a few minutes.

24
00:00:48,210 --> 00:00:50,670
‫But if it's content that is private to the user

25
00:00:50,670 --> 00:00:53,010
‫that they will access in a long period of time,

26
00:00:53,010 --> 00:00:56,820
‫you can make that URL or that signed cookie last for years.

27
00:00:56,820 --> 00:00:58,950
‫So what's the different between a URL and a cookie?

28
00:00:58,950 --> 00:01:01,950
‫A signed URL gives access to individual files.

29
00:01:01,950 --> 00:01:03,750
‫So you get one URL per file.

30
00:01:03,750 --> 00:01:07,620
‫So if you have 100 files to show you'll get 100 URLs.

31
00:01:07,620 --> 00:01:09,120
‫And if you have a signed cookie,

32
00:01:09,120 --> 00:01:11,070
‫then you give access to multiple files

33
00:01:11,070 --> 00:01:12,480
‫and the cookie can be reused.

34
00:01:12,480 --> 00:01:15,120
‫So this time you have one signed cookie for many files.

35
00:01:15,120 --> 00:01:18,810
‫So choose whatever you need based on the context.

36
00:01:18,810 --> 00:01:21,570
‫Now, how does signed URL work as a diagram?

37
00:01:21,570 --> 00:01:23,490
‫So we have our CloudFront distribution

38
00:01:23,490 --> 00:01:24,990
‫and has a bunch of locations.

39
00:01:24,990 --> 00:01:25,823
‫And for example,

40
00:01:25,823 --> 00:01:28,830
‫we seen before that we can access our Amazon S3 bucket

41
00:01:28,830 --> 00:01:33,480
‫through OAC origin access control for maximum security.

42
00:01:33,480 --> 00:01:36,060
‫And so that means that the objects in our S3 buckets

43
00:01:36,060 --> 00:01:38,790
‫cannot be accessed by anything else, but CloudFront.

44
00:01:38,790 --> 00:01:41,130
‫But we still want to be able to give people access

45
00:01:41,130 --> 00:01:43,260
‫to their objects through CloudFront.

46
00:01:43,260 --> 00:01:45,300
‫So we have our clients, and our client is going

47
00:01:45,300 --> 00:01:48,450
‫to authorize and authenticate to our application

48
00:01:48,450 --> 00:01:50,490
‫and we have to code that application.

49
00:01:50,490 --> 00:01:53,130
‫And our application will use the AWS SDK

50
00:01:53,130 --> 00:01:56,010
‫to generate a signed URL directly from CloudFront.

51
00:01:56,010 --> 00:01:59,010
‫It will return the signed URL to the clients

52
00:01:59,010 --> 00:02:00,660
‫and then the clients will be able to use

53
00:02:00,660 --> 00:02:04,680
‫that signed URL to get the data and the files

54
00:02:04,680 --> 00:02:06,300
‫and the objects or whatever you need,

55
00:02:06,300 --> 00:02:07,770
‫directly from CloudFront.

56
00:02:07,770 --> 00:02:08,820
‫So this works for signed URL,

57
00:02:08,820 --> 00:02:11,880
‫but this also works for signed cookie obviously.

58
00:02:11,880 --> 00:02:13,050
‫But you may be asking yourself,

59
00:02:13,050 --> 00:02:14,940
‫should I use a CloudFront signed URL

60
00:02:14,940 --> 00:02:16,980
‫or an S3 pre-signed URL?

61
00:02:16,980 --> 00:02:18,480
‫And they have a different purpose.

62
00:02:18,480 --> 00:02:22,350
‫So CloudFront signed URL is to allow access to a path,

63
00:02:22,350 --> 00:02:23,460
‫no matter the origin.

64
00:02:23,460 --> 00:02:26,760
‫So signed URL works not just for S3 as an origin,

65
00:02:26,760 --> 00:02:29,820
‫but HTTP, backend of whatever you want.

66
00:02:29,820 --> 00:02:31,140
‫It's an account wide key-pair,

67
00:02:31,140 --> 00:02:32,700
‫so only the root can manage it.

68
00:02:32,700 --> 00:02:36,000
‫And you can filter by IP, path, date and expiration.

69
00:02:36,000 --> 00:02:38,100
‫And you can leverage all the caching features out

70
00:02:38,100 --> 00:02:39,120
‫of CloudFront.

71
00:02:39,120 --> 00:02:40,710
‫So if you look at the diagram,

72
00:02:40,710 --> 00:02:43,020
‫we have the clients using the signed URL

73
00:02:43,020 --> 00:02:45,330
‫onto your CloudFront distribution

74
00:02:45,330 --> 00:02:47,730
‫and then CloudFront distribution talking to your origin.

75
00:02:47,730 --> 00:02:49,830
‫In this case, I put an EC2 instance.

76
00:02:49,830 --> 00:02:51,420
‫Okay, so we have an idea for this.

77
00:02:51,420 --> 00:02:53,250
‫Now for S3 pre-signed URL,

78
00:02:53,250 --> 00:02:57,270
‫it issues a request as the person who pre-signed the URL.

79
00:02:57,270 --> 00:02:59,190
‫So the idea is that if I signed the URL

80
00:02:59,190 --> 00:03:00,600
‫with my own IAM principle

81
00:03:00,600 --> 00:03:02,490
‫and I use my IAM keys to signing this,

82
00:03:02,490 --> 00:03:06,060
‫then the person who has that URL has the same rights as me.

83
00:03:06,060 --> 00:03:07,680
‫It has a limited lifetime.

84
00:03:07,680 --> 00:03:08,513
‫And so the idea

85
00:03:08,513 --> 00:03:11,130
‫is that now the client can access directly your S3 bucket

86
00:03:11,130 --> 00:03:12,990
‫using that pre-signed URL.

87
00:03:12,990 --> 00:03:15,650
‫So the idea is, if you want people to have access

88
00:03:15,650 --> 00:03:18,390
‫to your CloudFront distribution and it's in front of S3.

89
00:03:18,390 --> 00:03:19,740
‫You have to use a signed URL

90
00:03:19,740 --> 00:03:23,190
‫because you cannot access your S3 bucket as you should

91
00:03:23,190 --> 00:03:27,060
‫because there is a bucket policy restricting it to the OAI.

92
00:03:27,060 --> 00:03:29,760
‫But if your users are using directly against S3

93
00:03:29,760 --> 00:03:31,890
‫and you want to distribute a thousand S3 directly

94
00:03:31,890 --> 00:03:33,150
‫without using CloudFront,

95
00:03:33,150 --> 00:03:35,760
‫then pre-sign URL will be a great use case for it.

96
00:03:35,760 --> 00:03:37,740
‫All right, that's is for this theoretical lecture.

97
00:03:37,740 --> 00:03:39,490
‫I will see you in the next lecture.