CloudFront Signed URLs / Cookies and S3 Presigned URLs

Signed URLs / Cookies

Signed URL is a url with a signature. The signature allows you to verify your credibility to access the resource while url locates the resource. Signed URLs are used to deliver private content securely.

AWS uses signed urls/cookies to restrict access to content in cloud front edge locations and enable only the authorized groups of accounts to secure access content. With a signed URL a user gets access only to a single file whereas with a signed cookie a user can access multiple files. For signing URLs/Cookies RSA-SHA1 algorithm is used.

First we specify trusted signers who will have permissions to generate signed urls/cookies and add them to the distribution.

Then we specify the restrictions using a policy. Depending on the scope of restrictions we need to specify we can choose a canned policy or a custom policy. With a canned policy we can only specify the expiration date and time. If we need to specify a more complex set of restrictions we could use a custom policy. With a custom policy we can specify the valid time period including both start date / time and end date / time and the IP address or the range of IP addresses allowed. Furthermore the custom policies include a base64-encoded version of the policy, and using wildcard characters in resource parameters custom policies can be reused unlike canned policies.

Signed URLs

When a user requests content the application will verify the user and return a signed url to the user through which they can access content. When a user requests access to a resource and CloudFront validates the signed url by comparing the signature with the policy statement and allows access only if the url is valid.

What if a user requests a large file just before expiration?

If a connection interruption does not occur at the download time content will be successfully downloaded.

What if a user starts streaming for a video file just before expiration?

The cloud front will allow them to continue streaming unless another play event such as skipping or pausing is triggered after time of expiration.

Signed Cookies

A signed cookie is a piece of data that includes a signature which is received from a server and stored in the computer by the browser. Unlike signed urls signed cookies can be used to access multiple files using the same url. Signed cookies cannot be used in RTMP distribution.

The application decides on who to give access to the resources. Application returns 3 http set-cookie headers, each includes three name-value pairs to the viewer and they are stored in the client machine by browser. When a user requests a file with a signed cookie, CloudFront validates the signature using the public key and checks whether the request is valid using the policy statement and returns the content to the viewer.


Pre Signed urls are used when we need to give access to an object in s3 to a user without aws security credentials since only object owners have access to the resources in s3.

In such a scenario users who already have permissions / security credentials to access s3 objects can generate a pre-signed for viewer to access the object for a limited time period. Pre Signed URLs can be used multiple times prior to expiration time.The valid period of a pre-signed url differs according to the credentials used to generate it.

When generating a pre-signed url we need to provide security credentials, specify a bucket name, an object key, specify the HTTP method and expiration date and time.

Anyone with valid security credentials could generate a pre-signed url. But the object can only be accessed by urls created with credentials who has expected permission to access the object.

When a user requests an object the application calls a lambda function to generate a Pre-signed url. The lambda function generates a presigned url via s3 API and returns it. A hash is generated in the s3 for the url. When the user requests the content using the presigned url the object will be returned if the signature and conditions are valid.

Pre Signed urls are used when we need to give access to an object in s3 securely to viewers who don’t have AWS credentials. Signed urls / cookies are used to restrict access to the files in cloudfront edge caches and s3 for authenticated users and subscribers. Signed urls / cookies can be used for any cloudFront origin. For RTMP distributions we need to use signed urls. If we need to access several files using the same url we need to use signed cookies.

On behalf of Team LiveRoom, written by Melanie Wijesooriya.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store