https://stackoverflow.com/questions/23580046
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianAmazon CloudFront also offers Serving Private Content through CloudFront to address your use case:
Many companies that distribute content via the Internet want to restrict access to documents, business data, media streams, or content that is intended for selected users, for example, users who have paid a fee. To securely serve this private content using CloudFront, you can:
Require that your users use special CloudFront signed URLs to access your content, not the standard CloudFront public URLs.
Require that your users access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.
It is up to the application to generate and distribute the required Signed URLs, however, given the logic of who can see what and when is a part of the application logic you seem to be well prepared for that part.
Please note that you'll need to ensure Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content so that users are unable to leak/guess S3 URLs and are required to go through CloudFront indeed.
If you want to use CloudFront signed URLs to provide access to objects in your Amazon S3 bucket, you probably also want to prevent users from accessing your Amazon S3 objects using Amazon S3 URLs. If users access your objects directly in Amazon S3, they bypass the controls provided by CloudFront signed URLs, including control over when a URL expires and control over which IP addresses can be used to access the objects. [...]
You restrict access to Amazon S3 content by creating an origin access identity, which is a special CloudFront user. You change Amazon S3 permissions to give the origin access identity permission to access your objects, and to remove permissions from everyone else. [...]
[emphasis mine]
