DEV Community

Michael Wahl for AWS Community Builders

Posted on

Protect your Amazon CloudFront content — Authorization@Edge using cookies

Customers who host private web apps on Amazon CloudFront may struggle with a challenge: how to prevent unauthenticated users from downloading the web app’s source code.
This is an interesting solution, but if you don't request public and private content, it's overkill and can become really complex quickly.
Authorization@Edge - How to Use Lambda@Edge and JSON Web Tokens to Enhance Web Application Security…
Authorization, the function of specifying access rights to resources is often required to help protect restricted…
aws.amazon.com

If you simply have a CloudFront distribution you wish a user to auth first with Cognito before viewing this is probably a great option.
Authorization@Edge using cookies: Protect your Amazon CloudFront content from being downloaded by…
Enterprise customers who host private web apps on Amazon CloudFront may struggle with a challenge: how to prevent…
aws.amazon.com

You can deploy this solution from the AWS Serverless Application Repository. It's easiest to just leave everything as default so you can successfully deploy it and have something working to look at and maybe modify for your own specific needs.
Solution Flow
Part 1 — Sign in attempt

aws.amazon.com
Part 2 — Authentication and verification

aws.amazon.com
Part 3 — Redirect and access

aws.amazon.com
Recognition
The earlier AWS blog that investigated wiring up Cognito authentication with Lambda@Edge: https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/
A gist that shows how to add Basic Authentication using Lambda@Edge: https://gist.github.com/lmakarov/e5984ec16a76548ff2b278c06027f1a4
An open-source project that uses a similar approach to secure CloudFront distributions, but does not yet support Cognito (at the time of this writing): https://github.com/Widen/cloudfront-auth
Additional resources
Check out the code on GitHub to see how the sample solution is built. You can deploy and run the code yourself: https://github.com/aws-samples/cloudfront-authorization-at-edge.
You can deploy the Amazon Cognito resources from the sample solution directly from the AWS Serverless Application Repository.
10

Top comments (0)