How to Upload Files to S3 Using CloudFront Pre-Signed URLs

Takahiro Iwasa

7/7/2024

3 min read

CloudFront S3

CloudFront supports the feature of generating signed URLs. While S3 also offers similar functionality, CloudFront provides the added benefit of enabling uploads through your custom domain, making it especially useful for domain-restricted environments.

Serve private content with signed URLs and signed cookies

Architecture Diagram

Specifying Trusted Signers

To begin, you must create a trusted key group for use as a trusted signer.

Specify signers that can create signed URLs and signed cookies

❗ Important

While you can use your AWS account as a trusted signer, AWS recommends using a key group. Refer to Choose between trusted key groups (recommended) and AWS accounts for details.

Key pairs must adhere to the following requirements:

Type: SSH-2 RSA key pair
Format: Base64-encoded PEM
Key Size: 2048-bit

Use the following commands to create a key pair:

openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem

Building

Pass the public key to the PublicKey parameter (line 5) and use it (line 38).
Ensure the S3 bucket policy allows the s3:PutObject action (line 27).
Use the AllViewerExceptHostHeader origin request policy (line 85).

1
AWSTemplateFormatVersion: 2010-09-09
2
Description: Example of CloudFront pre-signed URLs to upload files to S3 Bucket
3

4
Parameters:
5
  PublicKey:
6
    Type: String
7

8
Resources:
9
  S3Bucket:
10
    Type: AWS::S3::Bucket
11
    Properties:
12
      BucketName: !Sub uploaded-files-${AWS::AccountId}-${AWS::Region}
13

14
  S3BucketPolicy:
15
    Type: AWS::S3::BucketPolicy
16
    Properties:
17
      Bucket: !Ref S3Bucket
18
      PolicyDocument:
19
        Version: 2008-10-17
20
        Id: PolicyForCloudFrontPrivateContent
21
        Statement:
22
          - Sid: AllowCloudFrontServicePrincipal
23
            Effect: Allow
24
            Principal:
25
              Service: cloudfront.amazonaws.com
26
            Action:
27
              - s3:PutObject
28
            Resource: !Sub ${S3Bucket.Arn}/*
29
            Condition:
30
              StringEquals:
31
                "AWS:SourceArn": !Sub arn:aws:cloudfront::${AWS::AccountId}:distribution/${CloudFrontDistribution}
32

33
  CloudFrontPublicKey:
34
    Type: AWS::CloudFront::PublicKey
35
    Properties:
36
      PublicKeyConfig:
37
        Name: signer1
38
        EncodedKey: !Ref PublicKey
39
        CallerReference: cloudfront-caller-reference-example
40

41
  CloudFrontKeyGroup:
42
    Type: AWS::CloudFront::KeyGroup
43
    Properties:
44
      KeyGroupConfig:
45
        Name: cloudfront-key-group-1
46
        Items:
47
          - !Ref CloudFrontPublicKey
48

49
  CloudFrontOriginAccessControl:
50
    Type: AWS::CloudFront::OriginAccessControl
51
    Properties:
52
      OriginAccessControlConfig:
53
        Name: !Ref S3Bucket
54
        OriginAccessControlOriginType: s3
55
        SigningBehavior: always
56
        SigningProtocol: sigv4
57

58
  CloudFrontDistribution:
59
    Type: AWS::CloudFront::Distribution
60
    Properties:
61
      DistributionConfig:
62
        Enabled: true
63
        HttpVersion: http2and3
64
        Origins:
65
          - Id: !GetAtt S3Bucket.DomainName
66
            DomainName: !GetAtt S3Bucket.DomainName
67
            OriginAccessControlId: !Ref CloudFrontOriginAccessControl
68
            S3OriginConfig:
69
              OriginAccessIdentity: ''
70
        DefaultCacheBehavior:
71
          AllowedMethods:
72
            - HEAD
73
            - DELETE
74
            - POST
75
            - GET
76
            - OPTIONS
77
            - PUT
78
            - PATCH
79
          Compress: true
80
          # CachingDisabled
81
          # See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-cache-policies.html#managed-cache-policy-caching-disabled
82
          CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad
83
          # AllViewerExceptHostHeader
84
          # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html#managed-origin-request-policy-all-viewer-except-host-header
85
          OriginRequestPolicyId: b689b0a8-53d0-40ab-baf2-68738e2966ac
86
          TargetOriginId: !GetAtt S3Bucket.DomainName
87
          TrustedKeyGroups:
88
            - !Ref CloudFrontKeyGroup
89
          ViewerProtocolPolicy: https-only
90

91
Outputs:
92
  CloudFrontDistributionDomainName:
93
    Value: !GetAtt CloudFrontDistribution.DomainName
94
  CloudFrontPublicKeyId:
95
    Value: !Ref CloudFrontPublicKey
96
  S3BucketName:
97
    Value: !Ref S3Bucket

Deploy the CloudFormation stack with the following command:

PUBLIC_KEY=$(cat public_key.pem)
aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name cloudfront-presigned-urls-example \
  --parameter-overrides PublicKey=$PUBLIC_KEY

Check the deployed resources:

aws cloudformation describe-stacks \
  --stack-name cloudfront-presigned-urls-example \
| jq ".Stacks[0].Outputs"

Testing

Set the following variables:

CLOUDFRONT_DOMAIN=<CloudFront domain>
KEYPAIR_ID=<Key pair ID>
UTC_OFFSET=+9

Generate a URL:

PRESIGNED_URL=$(aws cloudfront sign \
  --url https://$CLOUDFRONT_DOMAIN/upload-test.txt \
  --key-pair-id $KEYPAIR_ID \
  --private-key file://private_key.pem \
  --date-less-than $(date -v +5M "+%Y-%m-%dT%H:%M:%S$UTC_OFFSET"))

echo $PRESIGNED_URL
# https://<distribution-id>.cloudfront.net/upload-test.txt?Expires=...&Signature=...Key-Pair-Id=...

Upload a file:

echo 'Hello World' > example.txt
curl -X PUT -d "$(cat example.txt)" $PRESIGNED_URL

Confirm the file is uploaded:

aws s3 cp s3://uploaded-files-<AWS::AccountId>-<AWS::Region>/upload-test.txt ./
cat ./upload-test.txt

Cleaning Up

Clean up all the AWS resources provisioned during this example with the following command:

ℹ️ Note

Disabling the CloudFront distribution may take several minutes.

aws s3 rm s3://uploaded-files-<AWS::AccountId>-<AWS::Region>/upload-test.txt
aws cloudformation delete-stack --stack-name cloudfront-presigned-urls-example