Multiple Policy Statements for CloudFront Custom Policy (Signed Cookies)

Question

Is it possible to create a policy with multiple statements when using a CloudFront custom policy for signed cookies (not signed URLs)?

I have read the documentation, and although all the examples just have one statement, I cannot see an explicit rule regarding the number of statements allowed.

If it's not possible to have multiple policy statements, it will be difficult to give a particular user signed-cookie access to say, five random files using only the CloudFront security. Any tips on how to do that would be appreciated.

This question is cross-posted here: https://forums.aws.amazon.com/thread.jspa?threadID=223440&tstart=0

Answer 1

FYI

I have faced with the same problem, and contacted with the official AWS support team.

 Hello, thanks for offering us a great service. 
I am an software engineer from Japan. 

Can we have multiple custom policies, like below syntax? 

{ 
  "Statement": [ 
    { ... }, 
    { ... }, 
    { ... }, 
  ] 
} 

I have searched on the web, and found ones who are trying to 
do the same thing and forums/Q&A as well. 

However we found no answer from AWS official support teams 
nor documents saying about that. 

JSON syntax is array, so it seems to work with 
multiple statements but do not work. 

So, if it does not work, would you add a sentence 
about that on the official document?

And then, I got the answer yesterday:

I just heard back this morning. 

You're correct, adding more than one statement 
to a custom policy is not supported. 

I'm updating the documentation now.

So, I think in few days the documentation will be updated that you can not set multiple policy statements for CF Custom Policy for Pre-Signed Cookies.

Answer 2

It's upsetting there is nothing in the docs that says you can only have one item in the Statement array, but that's AWS docs for ya!

Anyways, a way around this limitation, is to set multiple cookies at different path levels. You'll need to generate a signed cookie for each path you want and set each cookie in whatever app you are using. You can imagine an endpoint in your api that generates all of the necessary cookies, sets them all in the header, and your front end then sets all of those cookies.

More specifically you'll want to create one CloudFront-Key-Pair-Id cookie with your cloudfront access key id, and scope that cookie path to the highest level that you're policies will be set to. Use the AWS CloudFront SDK to sign a cookie for each Resource. Create a pair of CloudFront-Policy and CloudFront-Signature cookie for each path that corresponds to the Resource path.

Say I have the following two Resources and want to give access to both of them: https://cfsub.cloudfront.net/animals/dogs/* https://cfsub.cloudfront.net/animals/cats/*

I'd create:

• 1 CloudFront-Key-Pair-Id cookie with a path of /animals
• 1 CloudFront-Policy cookie with the base64 policy generated from running the dogs custom policy through the cloudfront signer. This cookie should have a path of /animals/dogs.
• 1 CloudFront-Policy same thing for cats
• 1 CloudFront-Signature cookie with the signature generated from running the dogs custom policy through the cloudfront signer. This cookie should have a path of /animals/cats
• 1 CloudFront-Signature same thing for cats

All of these cookies should have a domain set to your cloudfront domain cfsub.cloudfront.net

Send all those up to your web app or mobile app.