31. Intro: Private content

 

## 개인 콘텐츠 설정 방법
- 인증된 사용자만 사용 가능하도록 서명된URL 사용, 승인된 사용자만 접근 가능
- 서명된 경우만 응답하도록 CloudFront 구성 

## 콘텐츠에 액세스 할 수 있는 유일한 방법은
- S3 정책 생성으로, CloudFront에만 접속할 수 있게 허용 (OAI 허용) 
   : S3 다이렉트 접근 불가
- Signed URL 사용

- s3_image.php (s3 접근불가)
- cloudfront_image.php (s3 접근불가)
- Signedurl_image.php (s3 접근가능)

 

 

 

 

 

 

 

 

Welcome to module 6 in this module we're going to talk about private content.

Right.

So so far in this course we assumed that image that we have this is the image in our S3 bucket

right.

And we assumed that this image is a public image.

Right.

And anybody can can use this.

But let's say we want to have a private content.

Right.

And and this is this is a common problem.

we want to have content.

We want to deliver content to say authorized users.

So let's say this user here is an authorized user or maybe has subscribed to our service.

Right.

And we want to have this user access the content.

But let's say there's another user here who is not authorized and we don't want this user to be able

to access our content.

OK so this is the problem that we want to solve and AWS has some interesting solutions for for this

problem.

And essentially we will use something called signed URLs right signed URLs and

and before we discuss how to implement that let's understand how the image is delivered to the user.

Right now with the current architecture that we have.

Right.

So the way this works is that the user goes to goes to the application right requesting for say the image

page.

And remember we have a few pages here so one is S-3 image right.

And these I can request this page and the page will respond with the.

URL of the image so the page contains an image tag.

Right.

If you remember this page it contains an image tag and the source attribute contains the URL of the image.

Right.

And essentially the application is responding with the URL right its responding with the URL the application does

not send the image back sends the URL back right.

And then the user's browser.

Here we use that URL and go to S3.

or to cloud front and then cloud front or S3.

By the way we have this page as well.

So we have cloud front

right.

So the user may use either of these pages and and these contain the URL.

This one contains the S3 URL.

And then the other one contains the cloudfront URL.

In either Page essentially the application gives the URL back to the user and then the user

will use the URL and go to the respective service and respective service will respond with the

image right so the image doesn't go from the from the EC2 instance it goes to the user from cloud front

or from S3.

This is how it works right now and what may happen is that the authorized user may share the URL.

.

Shared that URL with the unauthorized user and since everything is so open the unauthorized

user can also access our content.

this is what we want to prevent.

OK.

So what we do is we will use something called signed URLS so that the application will not send a

plain URL but will send a signed.

URL to the user and the authorized user can easily use the signed URL and fetch the

image just like just like now.

So this will work for the authorized user.

And in fact it will work only for the signed URL.

So so they have to configure cloud front in such a way that it will respond only to signed.

URL requests right.

Ok?.

Now you may say that the user may share the signed URL with the unauthorized user.

What happens then.

Well what happens then is that the URL will have a policy right when we sign the URL.

We attach a policy to the signed URL and the policy can include an expiry an expiry date and

time.

Right.

And this could be say just five minutes after the URL was generated.

It could be one hour it could be one day whatever you want.

Right.

And they can also be other types of policies like a start date and time or IP ranges so that the

URL will be valid only for people who are coming in from certain IP address ranges.

So you can do this in the module we will just see the expiry date and time right.

But essentially what will happen is the signed URL would be valid for a limited amount of time

and the unauthorized user will not be able to use the content because the URL will expire pretty quickly.

So this is the solution that we want to build.

OK.

Now there is something else we need to take care of for as well and that is S3 let's remember right

now we can access the the image directly from S3 as well because the user can use the URL of the image

the S3 URL of the image and can fetch the image directly as well.

Right.

And remember that in the early part of this course we had to set public access on the image right.

And thats the reason why anybody could go to the bucket and fetch the image right so we need to stop this.

We need to stop this.

we will remove the permission on the object.

Now when we do that what will happen this by the way is like a back door.

Right.

So we are we are building this signed URL system for cloud front but then there is a backdoor and we need to

stop that.

So it will be public access.

And but when that happens what will happen is cloud front also will not be able to access because the

reason cloudfront is able to access the image from S3 is because the image has public access right.

So we need to create a policy and this will be an S3 bucket policy.

All right.

So this will be in the bucket policy where we will allow cloud front to access the image and nobody

else right nobody else.

And the way this is done is we have to create something called Origin access identity (OAI) for cloud front and

and in the S3 bucket policy we will allow this OAI which represents the current distribution to be able

to fetch the images from the bucket ok so this way we will close the back door.

Right.

And the only way to access the content will be from cloud front and also only using signed

URLs.

So so for this we will be using a new page by the way right we'll be using a new page and this page will

be called the signed URL underscore image

right.

And and once we implement all this right we will try to verify all these pages this page

should work right this page would work because this is using signed URLs right.

And the other two pages will not work right will not work this one will not cloudfront image will not

work because the cloudfront will now respond only to signed URLs.

And this one sends a plain.

URL this one does not end up send a signed URL so it won't work for this page and the

page also will not work because we have closed the back door.

Right.

And theres no way to get the image directly from from S3.

All right so this will be our verification and in this way we can have private content.

 

So in the rest of the videos and the other material in this module.

Let's go step by step and implement private content for our application.