This project shows how to host a private website using CloudFront and Signed Cookies using terraform. Resources created
S3 Bucket: A private S3 bucket to store the static files for the website. This bucket is only accessible by CloudFront with origin access identity (OAI).CloudFront Distribution: To serve the static content from edge serves right next to the users after upon successful authentication the user identity.Lambda Function: To validate user identity and return signed cookies on successful authentication.
- A simple token-based authentication flow starts with the issuance of an auth-token upon user login, which is then carried along with subsequent requests until the user logs out or the token expires. This token is crucial as it’s verified by the server with each request to ensure secure access.
- Login is a singular event; however, token validation is a recurring task, executed with every user interaction. Implementing this validation within a container or lambda function in an AWS region introduces latency, preventing us from fully harnessing the CDN’s capability to deliver content from the nearest edge location.
- While Lambda@Edge offers reduced latency by operating at edge locations, it comes at a higher cost—approximately 3 to 4 times that of a standard Lambda function—and lacks the ‘always free’ tier benefit.
- CloudFront offers signed URL and cookie feature, that enables precise control over content access. By crafting a policy with a set of parameters like expiry time and IP address/range, and signing it with a private key to create signed cookies, we can let CloudFront validate access using the corresponding public key. This method effectively delegates auth-validation to CloudFront, allowing the issuance of signed cookies to authenticated users at the session start.
- The key difference between signed URLs and cookies is in efficiency: signed cookies are stored in browsers and sent with every request to the same domain and path, making them ideal for multi-file or resource access on the same domain.
This project is licensed under the terms of the MIT license.