Specifying Your Trusted Signers

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html

To create signed URLs or signed cookies, you need at least one AWS account that has an active CloudFront key pair. This account is known as a trusted signer. The trusted signer has two purposes:

• As soon as you add the AWS account ID for your trusted signer to your distribution, CloudFront starts to require that users use signed URLs or signed cookies to access your files.
• When you create signed URLs or signed cookies, you use the private key from the trusted signer’s key pair to sign a portion of the URL or the cookie. When someone requests a restricted file, CloudFront compares the signed portion of the URL or cookie with the unsigned portion to verify that the URL or cookie hasn’t been tampered with. CloudFront also verifies that the URL or cookie is valid, meaning, for example, that the expiration date and time hasn’t passed.

When you specify trusted signers, you also indirectly specify the files that require signed URLs or signed cookies:

Web distributions

You add trusted signers to cache behaviors. If your distribution has only one cache behavior, users must use signed URLs or signed cookies to access any file associated with the distribution. If you create multiple cache behaviors and add trusted signers to some cache behaviors and not to others, you can require that users use signed URLs or signed cookies to access some files and not others.

RTMP distributions (signed URLs only)

You add trusted signers to a distribution. After you add trusted signers to an RTMP distribution, users must use signed URLs to access any file associated with the distribution.

Note: To specify trusted signers for a distribution, you must use the CloudFront console or CloudFront API version 2009-09-09 or later.

To specify the accounts that are allowed to create signed URLs or signed cookies and to add the accounts to your CloudFront distribution, do the following tasks:

1. Decide which AWS accounts you want to use as trusted signers. Most CloudFront customers use the account that they used to create the distribution.
2. For each of the accounts that you selected in Step 1, create a CloudFront key pair.

   See Creating CloudFront Key Pairs for Your Trusted Signers.

3. If you’re using .NET or Java to create signed URLs or signed cookies, reformat the CloudFront private key.

   see Reformatting the CloudFront Private Key (.NET and Java Only).

4. In the distribution for which you’re creating signed URLs or signed cookies, specify the AWS account IDs of your trusted signers.