I need to know how to create and test CloudFront signed cookies to access an S3 origin.

The example in this article illustrates a step-by-step procedure to test and restrict access to an S3 origin with CloudFront signed cookies. This example also describes how to use CloudFront signed cookies with the curl command to access the S3 origin.

Complete the following steps to use CloudFront signed cookies to test and restrict access to objects in your Amazon S3 origin.


Replace the distribution, key pair, and private key file details accordingly.


1. Go to http://www.unixtimestamp.com/ and get the Unix time for the cookie expiration date.

2. Create a policy as described at Creating a Policy Statement for a Signed Cookie That Uses a Custom Policy, and save it as "policy.json". For our example, we'll use an expiration date of 06/30/2016:







               "AWS:EpochTime": 1467244800






3. Remove all white space using "cat" and "tr":

> cat policy.json | tr -d " \t\n\r"


4. Encode the text in base64 and replace the unsupported characters. The result is the value for your CloudFront-Policy cookie:

> cat policy.json |base64 |tr '+=/' '-_~'

5. Create a signature using your CloudFront private key, convert it to base64, and replace the unsupported characters. The result is the value for your CloudFront-Signature cookie:

> cat policy.json | openssl sha1 -sign CloudFront_Key.pem |base64 |tr '+=/' '-_~'



6. Get your CloudFront key pair access key ID from https://portal.aws.amazon.com/gp/aws/securityCredentials. This is the value that you specify for your CloudFront-Key-Pair-Id cookie.

7. To verify that you can use CloudFront signed cookies to access the S3 origin, run curl –v and specify the following parameters:

a. An HTTP header that contains the base64-encoded cookie created in step 4. Enclose the HTTP header value in single quotes, so the first parameter looks like this:

-H 'Cookie: CloudFront-Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kM2J4Y2k1emplNGJvNi5jbG91ZGZyb250Lm5ldC9pbmRleC5odG1sIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNDQyMTgwMTYxfX19XX0KCg__'

b. An HTTP header that contains the base64-encoded signature created in step 5. Enclose the HTTP header value in single quotes, so the second parameter looks like this:

-H 'Cookie: CloudFront-Signature=ZmKpEDq0AyMwhW6V-seB61zvpGvEsQo2HdOBJQs2qdblimiwtY9clXk4N9odyKu4ACl8nmYQ2ufBXsHcZTecGFS7apNWttORlKYiDJGlgBVQ8XGXF3SXO~buiR3UdqHd6K5-YdwZL1UZMFMSpZb3HNKYetT5Su5Koeq0Vl11smNrz76dsbY-ialGsVYkf4seoMR65UJhLq7TrspHZLEXl7I6SEA7FC7gKQP7-g8vACuZ1jpvniqaJoQphzcV4VWfxLZKifLA9GzjtARJaGqYjNrWkWmTIJ3wFTurMmwTId9~MFfDGwcNULerMKkgKotY630c~T4TpVQFpmwijCoQbg__'

c. An HTTP header that contains the CloudFront key pair access key ID retrieved in step 6. Enclose the HTTP header value in single quotes, so the third parameter looks like this:

-H 'Cookie: CloudFront-Key-Pair-Id=XXXXXXXXXXXXXXXXXXX'

d. The CloudFront URL as the fourth parameter, which looks like this:


Putting everything together, the command and resulting output should look similar to the following:

> curl -v -H 'Cookie: CloudFront-Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kM2J4Y2k1emplNGJvNi5jbG91ZGZyb250Lm5ldC9pbmRleC5odG1sIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNDQyMTgwMTYxfX19XX0_' -H 'Cookie: CloudFront-Signature=ZmKpEDq0AyMwhW6V-seB61zvpGvEsQo2HdOBJQs2qdblimiwtY9clXk4N9odyKu4ACl8nmYQ2ufBXsHcZTecGFS7apNWttORlKYiDJGlgBVQ8XGXF3SXO~buiR3UdqHd6K5-YdwZL1UZMFMSpZb3HNKYetT5Su5Koeq0Vl11smNrz76dsbY-ialGsVYkf4seoMR65UJhLq7TrspHZLEXl7I6SEA7FC7gKQP7-g8vACuZ1jpvniqaJoQphzcV4VWfxLZKifLA9GzjtARJaGqYjNrWkWmTIJ3wFTurMmwTId9~MFfDGwcNULerMKkgKotY630c~T4TpVQFpmwijCoQbg__' -H 'Cookie: CloudFront-Key-Pair-Id=XXXXXXXXXXXXXXXXXXX' https://d123example.cloudfront.net/index.html


*  Trying

* Connected to d123example.cloudfront.net ( port 443 (#0)

* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

* Server certificate: *.cloudfront.net

* Server certificate: VeriSign Class 3 Secure Server CA - G3

* Server certificate: VeriSign Class 3 Public Primary Certification Authority - G5

> GET /index.html HTTP/1.1

> Host: d123example.cloudfront.net

> User-Agent: curl/7.43.0

> Accept: */*

> Cookie: CloudFront-Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kM2J4Y2k1emplNGJvNi5jbG91ZGZyb250Lm5ldC9pbmRleC5odG1sIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNDQyMTgwMTYxfX19XX0KCg__

> Cookie: CloudFront-Signature=ZmKpEDq0AyMwhW6V-seB61zvpGvEsQo2HdOBJQs2qdblimiwtY9clXk4N9odyKu4ACl8nmYQ2ufBXsHcZTecGFS7apNWttORlKYiDJGlgBVQ8XGXF3SXO~buiR3UdqHd6K5-YdwZL1UZMFMSpZb3HNKYetT5Su5Koeq0Vl11smNrz76dsbY-ialGsVYkf4seoMR65UJhLq7TrspHZLEXl7I6SEA7FC7gKQP7-g8vACuZ1jpvniqaJoQphzcV4VWfxLZKifLA9GzjtARJaGqYjNrWkWmTIJ3wFTurMmwTId9~MFfDGwcNULerMKkgKotY630c~T4TpVQFpmwijCoQbg__

> Cookie: CloudFront-Key-Pair-Id=XXXXXXXXXXXXXXXXXXX


< HTTP/1.1 200 OK

< Content-Type: text/html

< Content-Length: 0

< Connection: keep-alive

< Date: Tue, 08 Sep 2015 02:35:48 GMT

< x-amz-version-id: Wlbf4ymWu_qaa_tHHtAggtKe01HbiRM3

< Last-Modified: Tue, 08 Sep 2015 02:21:16 GMT

< ETag: "d41d8cd98f00b204e9800998ecf8427e"

< Accept-Ranges: bytes

< Server: AmazonS3

< Age: 1022

< X-Cache: Hit from cloudfront

< Via: 1.1 d123example.cloudfront.net (CloudFront)




<!DOCTYPE html>




<link rel="shortcut icon" type="image/png" href="https://www.example.com/images/test.ico"/>



<div id="container" class="container">


<img src="http://www.example.com/images/testlogo.png">

<h1>Congrats! You are signed!</h1>



Amazon CloudFront, signed cookies, restrict access, S3 origin, private content

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-02-29