Relationship between Origin Access Identities (OAIs) and CloudFront Signed URLs


So I’ve been following guides on CloudFront and S3 and I feel like I am still missing a core piece of information in the relationship between Origin Access Identities (OAIs) and CloudFront Signed URLs.

What I want: a private CDN to host audio snippets (of a few seconds in length) and low-resolution images. I only want these files to be accessible when requested from a specific domain (i.e. the domain the web app will live on) and maybe a testing server, so that my web app can get the files but anyone else just can’t access them without going through the web app.

What I’m confused about: I’m fuzzy on the relationship (if there is any) between CloudFront Origin Access Identities (OAIs) and Signed CloudFront URLs.

I have currently created a private S3 bucket, an OAI for my CloudFront distribution, and have generated a signed URL to an image through CloudFront. But I don’t see how these things are related and how they prevent someone else from accessing CDN files (e.g. if they were able to inspect an element and get the signed URL).

Is the whole point to make sure the signed URLs expire quickly? And if so, how does the OAI play a role in it? Is this something set in CORS?


An origin access identity is an entity inside CloudFront that
can be authorized by bucket policy to access objects in a bucket. When CloudFront uses an origin access identity to access content in a bucket, CloudFront uses the OAI’s credentials to generate a signed request that it sends to the bucket to fetch the content. This signature is not accessible to the viewer.

The meaning of the word “origin” as used here should not be confused with the word “origin” as used in other contexts, such as CORS, where “origin” refers to the site that is allowed to access the content.

The origin access identity has nothing to do with access being restricted to requests containing a specific Origin or Referer header.

Once a signed URL is validated by CloudFront as matching a CloudFront signing key associated with your AWS account (or another account that you designate as a trusted signer) the object is fetched from the bucket, using whatever permissions the origin access identity has been granted at the bucket.

Is the whole point to make sure the signed url’s expire quickly?

Essentially, yes.

Authentication and Authorization of requests by trying to restrict access based on the site where the link was found is not a viable security measure. It prevents hot-linking from other sites, but does nothing to protect against anyone who can forge request headers. Defeating a measure like that is trivial.

Signed URLs, by contrast, are extremely tamper resistant to the point of computational infeasibility.

A signed URL is not only valid only until it expires, but can optionally also restrict access to a person having the same IP address that’s included in the policy document, if you use a custom policy. Once signed, any change to the URL, including the policy statement, makes the entire URL unusable.

The OAI is only indirectly connected with CloudFront signed URLs — they can be used individually, or together — but without an OAI, CloudFront has no way to prove that it is authorized to request objects from your bucket, so the bucket would need to be public, which would defeat much of the purpose of signed URLs on CloudFront.

Leave a Reply