how to secure s3 files with trusted signed users using cloudfront aws-sign?

Question

I need to secure my files which should not get directly played or downloaded in the browzer after copy pasting the link in the browzer.

Below is my app.js file:

var express = require('express'),
    aws = require('aws-sdk'),
    bodyParser = require('body-parser'),
    multer = require('multer'),
    multerS3 = require('multer-s3');

var cfUtil = require('aws-cloudfront-sign');
/**************************/
var cfPk =
'-----BEGIN RSA PRIVATE KEY-----\n' +
'MIIEogIBAAKCAQEAgBmGbFU3bxnZpqMQ2LwmFP4lq7RauurKCF623Snm1XGNQuF9\n' +
'XqDeK3TH3ZfYC6P4iQ+C+Ynw15UP/MGbULO2UCmLfkA30FyI/u46jdhdD7hvMqEj\n' +
'UOEBxVJGFhqrZyerd9A7dRqYS6DTbaz3Vb+aGNcBLuqPP9/TydkkqoFqQnft43W7\n' +
'mWPp7Cx+TDkY/untwF3TWJdiAeke3FBAB2mni+BlmrNQs3vfufhW2XMV8sSOY+cN\n' +
'7chQmruV1stS+KCGiFfkiel824KI/1yVUe7+ofDGJF7v1G6WD4XV2sBAz01EIWSK\n' +
'vo1txA1lSoRcFHmnNOB4d8dKncilxEjstq6J5QIDAQABAoIBAC/m26CJIUiXdw9c\n' +
'LQGPIgJ5oyaZM9kdfkskflfsddsdfldfksdfjlksdfkfdfdfjsdljdfsdfksd08G\n' +
'znfj3zT6UcmuhsdfkhsdkjfksdfkjsdfkjskjdfkjlszDfhkSJDFHksdjJj7U/TQ\n' +
'WFEla/9b7yJjhgdfjsdfkDfklDfkldkljfksjdhfkshdjsdfhksdfkjsdYqOIrnp\n' +
'67CzIc/U76qkT/hsgdfsdfklkghfksdfkhkdhfkdkksdhfklsdhfklskkGuZOBOn\n' +
'vbRyFdfsDfwajhflsdhfpoaSudfhahfhhgTA0yVFFkYOZ6z6xyqoT8Qs+eUVGXCP\n' +
'Au5h6WECgYEA/fjlmzHgMnyfsCugmd/Qbh4tyDVBET6jKKG/JI/K43DjTTLWthcx\n' +
'Rlse1B6LbvbdzvbzdghdfghdtrytyrtyrtyreTO7WQLAEtTUOngsXms33ZdHtzIj\n' +
'r6UW9yqiDG6wNHH3Ql8oJCMaKs8z/mrcPJut0JORLmqd68NeOyxeIi0CgYEAgR9a\n' +
'TG2L06zJZ2Zk6sFee/4nZ5HgMHavxt25/JJtLG4Rew/lb1N10QcSk3v4I7bl41uB\n' +
'QhlHfyYd1yb0a2iTckfdsdfsdfaDfAFAVx95NS0ti3tO1hsuPKVTrMTEpEB2lul3\n' +
'BQuZehOE9HCW2QlDnwBeM2SDA0kagknIh63XsZkCgYBgEkIQxfowPvJNOwOikYaP\n' +
'0TyySmrVsiMYIK9kjjxKcw6Yyk1sTjOk9FkWYP3SwHqfEs0L4hSn6u3F9/34bp+N\n' +
'fmtkUTW0WK3G0jtYV5XiegCEvZnelmxe9g1M7ESmfUyMWjwVUFen69tfLEhXymaL\n' +
'SryidN/rdgtM/vdrXOoy9QKBgAks4izGKAZ9o74uP4OTBBTJhaFNc2HePTVjciDp\n' +
'gsqCc8mL4qDbjGazGvXR/FsFVyalzPaddcweu0kaziZdm36Z1JPI4o1fMUijtVax\n' +
'voXJvfjVtWGgAbgj05NayZohX/14B9YG8fwDwRHhokZ/6wc0bn02ajzkh/a0KYTC\n' +
'rK4ZAoGAGqYbrwHYFFgAOhOaPdER9jK+MXWl1pUhdFTUbNETgF0Nay06GifY+1DA\n' +
'oTu2hg3k7z5464WANk/ixn5nlyRD/i8Ab4ENA56sFly9qOyEdWlXKNrocMd4wjJr\n' +
'ZVF3wvEieF2E1PTySKYNb0ZUm70nfzMj6sRFw9ow58LdpPVXIew=\n' +
'-----END RSA PRIVATE KEY-----'
/************************/


aws.config.update({
    secretAccessKey: 'mysecretaccesss',
    accessKeyId: 'myaccessKeyId'
});

var app = express(),
    s3 = new aws.S3();

app.use(bodyParser.json());

var upload = multer({
    storage: multerS3({
        s3: s3,
        bucket: 'my_buket',
        key: function (req, file, cb) {
            // console.log(file);
           // console.log(req);
            var newFileName = Date.now() + "-" + file.originalname;
            var fullPath = '/'+ newFileName;
            console.log(fullPath)


var cfKeypairId = 'HKASHDDAKSHDHSDKAJ';
var cfURL = 'http://smbhdshdb.cloudfront.net'+fullPath;
var signedUrl = cfUtil.getSignedUrl(cfURL, {
  keypairId: cfKeypairId,
  expireTime: Date.now() + 60000,
  privateKeyString: cfPk
});

console.log(signedUrl);

// console.log(req);
            cb(null, fullPath); //use Date.now() for unique file keys

        }


    })
});


app.get('/', function (req, res) {
    res.sendFile(__dirname + '/index.html');
});


app.post('/upload', upload.any(), function (req, res, next) {
    res.send("Uploaded!");
});

app.listen(3001, function () {
    console.log('Example app listening on port 3001!');
});

Below is my index.html file:

<!DOCTYPE html>
<html>
<head lang="en">
    <meta charset="UTF-8">
    <title></title>
</head>
<body>
Hey! Lets try uploading to s3 directly :)

<form method="post" enctype="multipart/form-data" action="/upload">
    <p>
        <input type="text" name="title" placeholder="optional title"/>
    </p>

    <p>
        <input type="file" name="upl"/>
        <!-- <input type="file" name="uplo"/> -->
    </p>

    <p>
        <input type="submit"/>
    </p>
</form>
</body>
</html>

Below is my bucket policy which is wrong with principal.

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ESHJDAKSJFYU(SAMPLE ACCESS KEY)"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my_bucket/*"
        }
    ]
}

can somebody tel me how to give the bucket policy and how to enable security to my files? i need only the files should get streamed or downloaded only with the signed urls.

help please?

Answer 1

can somebody tel me how to give the bucket policy and how to enable security to my files?

If you've (1) created your CloudFront Key Pairs for your trusted signers, (2) set Restrict Bucket Access to Yes in the Origins tab and (3) made sure your bucket policy does not allow GetObject access except for the Origin Access Identity , then your files are already secured using signed URLs (or cookies). You could try pasting the URL in your browser to see that it does not get downloaded.

Whenever a client needs to download your private file, it should use the signedUrl your app created.

See:

Creating CloudFront Key Pairs for Your Trusted Signers

Creating an Origin Access Identity and Adding it to Your Distribution Using the CloudFront Console

And i need to know what is the value of 'xxxxxxxxxxxxx' in the below variable.

It is just a random string that gets generated when you create your CloudFront distribution the first time. It becomes part of the domain name . For example: d7ip55b96n1wwe.cloudfront.net .