To create signed URLs or signed cookies, you need at least one AWS account that has an active CloudFront key pair. This account is known as a trusted signer. The trusted signer has two purposes:
When you specify trusted signers, you also indirectly specify the files that require signed URLs or signed cookies:
You add trusted signers to cache behaviors. If your distribution has only one cache behavior, users must use signed URLs or signed cookies to access any file associated with the distribution. If you create multiple cache behaviors and add trusted signers to some cache behaviors and not to others, you can require that users use signed URLs or signed cookies to access some files and not others.
You add trusted signers to a distribution. After you add trusted signers to an RTMP distribution, users must use signed URLs to access any file associated with the distribution.
Note: To specify trusted signers for a distribution, you must use the CloudFront console or CloudFront API version 2009-09-09 or later.
To specify the accounts that are allowed to create signed URLs or signed cookies and to add the accounts to your CloudFront distribution, do the following tasks:
See Creating CloudFront Key Pairs for Your Trusted Signers.
see Reformatting the CloudFront Private Key (.NET and Java Only).