You can stroke people with words - Scott FitzGerald

Mobilizing English

Subscribe to Mobilizing English: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Mobilizing English: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Mobilizing English Authors: Kirsten Lytsen, Kevin Hoffman, Maureen O'Gara, Kulvir Singh Bhogal, Brad Bouldin

Related Topics: PC Security Journal, SOA Best Practices Digest, Security Journal, SOA & WOA Magazine, SOA in the Cloud Expo, Amazon Cloud Journal

Blog Feed Post

Managing CloudFront Private Content with CloudBerry S3 Explorer

Note: this post applies to CloudBerry Explorer 1.7 and later.

CloudBerry S3 Explorer is by far the most popular Amazon S3 and CloudFront manager on Windows platform. At the same time Amazon rapidly enhance their services to meet growing customer expectations. To maintain our leadership position we are trying to say on top of Amazon developments and support all recent enhancements in CloudBerry Explorer.

Today CloudFront team introduced a new exciting capability that will help to protect your content on the distributions. You might want to use CloudFront to deliver a digital asset you’ve sold online, or use it to distribute objects only to your company’s employees. In these circumstances, you need detailed control over who can download your “private” content. As a result today Amazon added an ability to handle private content in Amazon CloudFront.

How CloudBerry Explorer supports CloudFront Private Content?

First you have to configure a distribution to serve private content. You can configure and existing distribution or a new distribution, but a distribution should be created before you configure private content. Check out here to learn how to create a CloudFront distribution.

To configure a distribution for private content click on the distribution properties on the toolbar on in the content menu and go to the Private Content tab.

image001

Click the checkbox to enable Private Content. Now there are a few things that might confuse you at first.


Origin Access Identity: this is a "virtual" user that is used for managing permissions. Since you are able to restrict access you need to set permissions for objects. But for whom? Amazon provides some "virtual" users for this purpose. The Origin Identity that you see CloudBerry Explorer generates for you automatically as you should have at list one. You can also generate them using CloudFront API.

Identity S3 canonical user ID. This is the user ID that you can use in ACL editor to grant permissions. It is associated with the Origin Access Identity.

Trusted Signers:
You can only obtain the access to objects with signed URLs.
Trusted signers are Amazon S3 accounts numbers of users who can generate singed URLs. If one of them will generate signed URL with his private key, it will be valid. If someone else tries to generate signed URL - it will be invalid.

To find your account number go to Your Account | Account Activity on AWS website. Look for Account Number as shown on the screen:

image003

Add myself to trusted signers: by default you are not added to Trusted Signers. So if you want to generate signed URLs you have to check it.

Granting permissions to origin access identity

Notice that ACL dialog has been extended to include Origin Access Identity account automatically for CloudFront distributions configured for Private Content and grant Read access to it.

image005

Security Policies

Before we go any further we have to learn what Security Policy is. Click Tools | Policies in the program menu to open policies window and click New Policy. It helps you to create the policy which will basically define an IP range and address range to limit access to your private content.

Specify a path to your Private Key file in the private key field. This key will be used to sign the Policy.

Key Pair ID is something you will get from Amazon when you generate a Key Pair using Amazon web interface our upload your own key.

The policy on the screen below will grant access to every IP address 0.0.0.0/0 and to every file in your bucket http://*

image007

Note: that the policies are stored locally on your computer. So if you run CloudBerry Explorer on another computer or somebody else manage your S3 account the policies are not shared.

What is Private Key and how I can get it?

The private key - is the file in PEM format. The key pair (public (for Amazon to check your signature) + private (to be stored securely on your computer)) can be generated by Amazon on your account page.

If you already have a key pair, you can upload PUBLIC key to Amazon S3 (using your account web interface), and use your PRIVATE key to sign the URLs.

Using a Key Pair Generated by AWS

If you don't already have key pair, you can have AWS generate a pair and automatically associate the public key with your AWS account.

To have AWS create a key pair for you

1. Go to the Amazon Web Services web site at http://aws.amazon.com .

2. Point to Your Account and click Security Credentials.

3. Log in to your AWS account.

The Security Credentials page is displayed.

4. In the Access Credentials section of the page, click the Key Pairs tab.

5. Click Create a New Key Pair.

Your new public and private key are generated, along with an ID for the key pair. Amazon keeps the public key and gives you the private key.

6. From the dialog box, download your private key file to a local directory, and record the corresponding key ID.

Here's how it looks like

image009

Important: If you're an Amazon EC2 user, you probably already have at least one other key pair, which you use to connect to your instances through SSH or Windows Remote Desktop. Your Amazon EC2 key pairs work only with Amazon EC2, and your Amazon CloudFront keys work only with CloudFront. You can't use the private key from one service with the other service.

To upload your own public key

1. Go to the Amazon Web Services web site at http://aws.amazon.com.

2. Point to Your Account and click Security Credentials.

3. Log in to your AWS account. The Security Credentials page is displayed.

4. In the Access Credentials section of the page, click the Key Pairs tab.

5. Click Upload Your Own Public Key.

6. Follow the instructions presented to upload your public key.

How to generate Private Content URL?

Generate Web Url dialog has been extended. The new option only shows up when creating a URL for objects residing on CloudFront Distributions configured for Private Content.

image011

Conclusion

We hope CloudFront Private Content support in CloudBerry Explorer will make it easier to explore new CloudFront functionality and make CloudBerry Explorer your tool of choice for managing S3 and CloudFront.

If you came to this post by chance you should know that CloudBerry S3 Explorer is a Windows freeware product that helps managing Amazon S3 storage and CloudFront . You can download it at http://cloudberrylab.com/

If you came to this post by chance you should know that CloudBerry S3 Explorer PRO is a Windows program that helps managing Amazon S3 storage and CloudFront . You can download it at http://cloudberrylab.com/ It is currently in beta and free for all users. You can download it at http://cloudberrylab.com/

Like our products? Please help us spread the word about them. Learn here how to do it.

Read the original blog entry...

More Stories By Alexandra Brown

Marketing Manager at CloudBerry Lab, the company that specialize on tool that makes Cloud Computing adoption easier. CloudBerry Lab is established in 2008 by a group of experienced IT professionals with the mission to help organization in adopting Cloud computing technologies by closing the gap between Cloud vendors propositions and consumer needs through development of innovative low costs solutions.