Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Bypassing need for x-amz-cf-id header inclusion in S3 auth in cloudfront

Tags:

amazon-web-services

amazon-s3

amazon-cloudfront

aws-lambda-edge

I have a not completely orthodox CF->S3 setup. The relevant components here are:

  1. Cloudfront distribution with origin s3.ap-southeast-2.amazonaws.com

  2. Lambda@Edge function (Origin Request) that adds a S3 authorisation (version 2) query string (Signed using the S3 policy the function uses).

The request returned from Lambda is completely correct. If I log the uri, host and query string I get the file I am requesting. However, if I access it through the Cloudfront link directly, the request fails because it no longer uses the AWSAccessKeyID, instead it opts to use x-amz-cf-id (but uses the same Signature, Amz-Security-Token etc). CORRECTION: it may not replace, but be required in addition to.

I know this is the case because I have returned both the StringToSign and the SignatureProvided. These both match the Lambda response except for the AWSAccessKeyID which has been replaced with the x-amz-cf-id.

This is a very specific question obviously. I may have to look at remodelling this architecture but I would prefer not to. There are several requirements which has led me down this not completely regular setup.

like image 904
danielgormly Avatar asked Nov 07 '22 09:11

danielgormly

1 Answers

I believe the AWSAccessKeyID => x-amz-cf-id replacement is the result of two mechanisms:

First, you need to configure CloudFront to forward the query parameters to the origin. Without that, it will strip all parameters. If you use S3 signed URLs, make sure to also cache based on all parameters as otherwise you'll end up without any access control.

Second, CloudFront attaches the x-amz-cf-id to the requests that are not going to an S3 origin. You can double-check at the CloudFront console the origin type and you need to make sure it is reported as S3. I have a blog post describing it in detail.

But adding the S3 signature to all the requests with Lambda@Edge defeats the purpose. If you want to keep the bucket private and only allow CloudFront to access it then use the Origin Access Identity, that is precisely for the use-case.

like image 156
Tamás Sallai Avatar answered Nov 15 '22 07:11

Tamás Sallai
Sign in to Comment

Related questions

How to receive a response from AWS S3 triggered lambda function?
Redshift Table - Find Last Date of Query on a Table
Ansible ec2.py not working
documentclient put is not working, tried everything
Admin level user denied access to S3 objects
How to upload an image to AWS Rekognition using command line tools (AWS CLI)
How to access plugin output in serverless.yml of Serverless Framework?
Spring Cloud with AWS Parameter Store
How to run Elastic Beanstalk commands on EC2 instance before connecting Resources
Boto generate_url for S3 PUT doesn't work with IAM roles?
Boto3 - Recursively copy files from one folder to another folder in S3
Google OAuth from AWS lambda
create_export_task returns success but does not export data to s3 from cloudwatch
AWS CloudFormation conditional template validation
AWS Lambda and S3 and Pandas - Load CSV into S3, trigger Lambda, load into pandas, put back in bucket?
Prestashop 1.6, conflict: 2 different modules requiring same class, different versions
PHP AWS DynamoDB: Limit the Number of Total Query Results Using an Iterator
Uploading images to Spring Boot and S3 all In-Memory
Query AWS CLI to populate Jenkins "Active Choices Reactive Parameter" (Linux)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!