The title more or less says it all. Judging from the fact that "restrict viewer access" section of the Cloudfront management console (picture below) uses radio buttons, It appears that its an either/or situation.
QUESTION: Are there other ways to parse one's S3 bucket such that it can have both public (i.e., viewable by anyone) and private (i.e., signed urls) content in it?
I can answer my own question. Yes, you can have signed and unsigned urls at the same Cloudfront distribution. In the example below, my distribution is called blahblah.cloudfront.com
. The key is to specify two "origin server"s. One for the signed urls and another for the unsigned urls.
->AWS Management Console->Cloudfront->Distribution settings of selected Distribution
->Origins: create both origins (e.g., pointing to 2 different S3 buckets)
->Behaviors: create "path patterns" for each origin such that Cloudfront can
distinguish which origin the Cloudfront url points to. E.g., in my S3 bucket named
"tim-UNsigned-bucket" I set the path pattern to `uploads/*`. For my signed url bucket,
I gave it the more general path pattern of `*` and prioritized it 2nd.
As you can see below, this means that my unsigned url includes the path, uploads/,
whereas my signed does not.
Resulting Cloudfront url structure:
Signed urls: https:// or http://blahblah.cloudfront.com/file1.jpg?Policy=asf...
UNsigned urls: https:// or http://blahblah.cloudfront.com/uploads/file2.jpg
Note: Making any of these changes can take Cloudfront several minutes (5-15 minutes) to update. Therefore, do your best to make all the changes in my directions with the fewest mistakes possible otherwise it will take you forever.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With