AWSGlossary

CloudFront Signed URLs: What It Is and When to Use It

Definition

Amazon CloudFront Signed URLs are a special type of URL that provides temporary, secure access to content delivered through the CloudFront content delivery network (CDN). They solve the problem of protecting private content—such as paid media streams, confidential documents, or software downloads—by appending a cryptographic signature that CloudFront validates before serving the file, ensuring only authorized users can access it for a limited time.

How It Works

CloudFront Signed URLs work by adding three special query string parameters to a standard URL: Expires, Signature, and Key-Pair-Id. The process involves your application authenticating a user and then generating this unique, temporary URL for them.

Here is the typical request flow:

  1. Key Pair Generation & Upload: First, you generate a public/private RSA key pair. You then upload the public key to Amazon CloudFront and add it to a "Key Group." This key group is designated as a "trusted signer" in your CloudFront distribution's cache behavior settings. The corresponding private key is stored securely on your application server and is used to create the signature.
  2. User Authentication: A user attempts to access private content through your web application (e.g., by logging in and clicking a download link).
  3. Policy & Signature Generation: Your application server validates the user's permissions. If authorized, it creates a policy statement in JSON format. This policy defines the access rules, such as the resource URL and the expiration timestamp. The server then hashes and signs this policy using the private key.
  4. URL Construction: The application constructs the final signed URL. This includes the base URL of the content, the expiration time, the base64-encoded signature, and the ID of the public key CloudFront should use for verification.
  5. Content Request: The user's browser or client uses this complete signed URL to request the content from CloudFront.
  6. CloudFront Validation: Upon receiving the request, CloudFront uses the Key-Pair-Id to find the corresponding public key. It then verifies the Signature against the policy statement in the URL. If the signature is valid and the policy conditions (like expiration time and optional IP address restrictions) are met, CloudFront serves the content from its edge cache. If the validation fails, it returns a 403 Forbidden error.

This entire process ensures that even if your origin (like an Amazon S3 bucket) is private and locked down using an Origin Access Control (OAC), authorized users can still receive content with low latency via the CloudFront edge network.

Key Features and Limits

  • Policy Types: You can use two types of policies for signed URLs:
    • Canned Policies: Simpler to implement, only requiring an expiration timestamp. They are used to grant access to a single file.
    • Custom Policies: Offer more granular control. You can specify a start time (DateGreaterThan), an end time (DateLessThan), the specific IP address or range of IP addresses (IpAddress) that can access the content, and use wildcards in the Resource path to grant access to multiple files (e.g., https://*.example.com/videos/*).
  • Key Management: The modern and recommended method for managing signing keys is through Trusted Key Groups. This allows you to manage public keys using standard AWS Identity and Access Management (IAM) permissions, enabling automated key rotation and avoiding the need for root account access.
  • Cryptographic Algorithms: As of 2026, CloudFront supports both SHA-1 (default) and the more secure SHA-256 for hashing the policy statement.
  • URL Format: Signed URLs work by appending query string parameters. If a user modifies any part of the URL or the policy, the signature validation will fail.
  • Service Quotas (as of 2026): While most limits are high, key quotas to be aware of include:
    • Key Groups per AWS Account: 100
    • Public Keys per Key Group: 5 (This is a soft limit)
    • Key Groups per Distribution: 10

Common Use Cases

  1. Paid Content Distribution: For media companies or e-learning platforms, signed URLs ensure that only subscribed or paying users can access video streams, e-books, or course materials.
  2. Secure Software Downloads: A software company can provide customers with a time-limited link to download purchased software, preventing the link from being shared publicly.
  3. Confidential Business Documents: An enterprise application can generate signed URLs for employees to access sensitive materials like financial reports or legal documents, with access expiring after a short period.
  4. Private API Endpoints: If you have an API serving sensitive data through CloudFront, you can protect access to specific data files (like a generated report) by requiring a signed URL.
  5. Personalized Content: Applications that generate user-specific content, like a custom data visualization or a personalized photo album, can use signed URLs to ensure only the intended user can view it.

Pricing Model

There is no direct, additional charge for using CloudFront Signed URLs; it is a feature of Amazon CloudFront. The costs you incur are part of the standard CloudFront pricing structure, which includes:

  • Data Transfer Out (DTO): Charges per gigabyte for data delivered from CloudFront edge locations to the internet. Rates vary by geographic region.
  • Request Fees: A fee is charged per 10,000 HTTP or HTTPS requests. HTTPS requests are priced slightly higher.
  • Free Tier: AWS provides a generous permanent free tier for CloudFront that includes 1 TB of data transfer out, 10 million HTTP/S requests, and 2 million CloudFront Function invocations per month.

As of 2026, AWS also offers CloudFront flat-rate pricing plans. These plans bundle data transfer, requests, AWS WAF, and other services into a fixed monthly price with no overage charges, which can provide cost predictability for web applications.

Generating the signed URL itself happens on your application server and does not incur any AWS costs.

Pros and Cons

Pros:

  • Granular Access Control: Custom policies allow for precise control over who can access content, from where (IP address), and for how long.
  • Time-Limited Access: URLs automatically expire, which is a critical security feature for preventing unauthorized long-term access and sharing.
  • Prevents Hotlinking: Because each URL is unique and short-lived, it's impossible for unauthorized sites to embed and serve your private content.
  • Leverages CDN Performance: Users benefit from the low latency and high availability of the global CloudFront edge network, even for private content.
  • Secure Key Management: Using Trusted Key Groups with IAM integration allows for secure, automated key rotation and management.

Cons:

  • Application-Side Complexity: Your application must contain logic to generate the policy and sign the URL, which requires using an AWS SDK.
  • Clock Skew Sensitivity: The validation process is sensitive to time. If the clock on your server that generates the signature is significantly different from CloudFront's clock, validation can fail.
  • URL Length: The appended signature and policy can make URLs very long, which might be a concern in some client applications.
  • Caching Challenges: If a signed URL is shared among multiple users (not recommended), it can be cached by intermediate proxies, potentially leading to unintended access.

Comparison with Alternatives

  • CloudFront Signed Cookies: Signed cookies provide the same fundamental security but are designed for granting access to a group of files (e.g., all video segments in an HLS stream or all images on a subscriber-only webpage). Use signed URLs for individual files; use signed cookies when a user needs access to multiple restricted files. If a request includes both a signed URL and a signed cookie, the signed URL takes precedence.

  • Amazon S3 Pre-Signed URLs: S3 Pre-Signed URLs also provide temporary access to a private object. However, they grant direct access to the object in the S3 bucket, bypassing the CloudFront CDN entirely. This means you lose the performance benefits of edge caching and other CloudFront features. Use CloudFront Signed URLs when you want to deliver content securely through the CDN; use S3 Pre-Signed URLs for scenarios like allowing a user to upload a file directly to S3 or for backend processes that don't need CDN delivery.

Exam Relevance

CloudFront Signed URLs are a key topic in several AWS certification exams, particularly those focused on architecture, development, and security.

  • AWS Certified Solutions Architect - Associate (SAA-C03): Expect questions that require you to choose the right service for securely delivering private content. You'll need to know the difference between signed URLs, signed cookies, and S3 pre-signed URLs.
  • AWS Certified Developer - Associate (DVA-C02): Questions may focus more on the implementation details, such as the need for an AWS SDK to generate the signature and the components of a policy file.
  • AWS Certified Security - Specialty (SCS-C02): This exam will test your deep understanding of the security model, including the role of Trusted Key Groups, IAM permissions for key management, and how signed URLs integrate with other security controls like Origin Access Control (OAC).
  • AWS Certified Cloud Practitioner (CLF-C02): You should understand the basic use case for CloudFront—delivering content with low latency—and recognize that signed URLs are the mechanism for securing that content.

Frequently Asked Questions

Q: What is the difference between a CloudFront Signed URL and a CloudFront Signed Cookie?

A: A signed URL is used to restrict access to a single file. The authorization token is part of the URL itself. A signed cookie is used to provide access to multiple files (e.g., all .jpg files in a directory). The authorization is sent via Set-Cookie headers, and the browser automatically includes the cookies in subsequent requests for content matching the specified path.

Q: How long can a CloudFront Signed URL be valid?

A: There is no maximum expiration time defined by the service. You can set the expiration date far into the future. However, the primary security benefit comes from keeping the validity period as short as is practical for your use case to minimize the risk of a URL being shared or compromised.

Q: Can I use a wildcard to grant access to multiple files with one signed URL?

A: Yes, this is a key feature of using a custom policy. In the Resource field of the policy statement, you can use wildcards (*) to match a pattern, such as https://d111111abcdef8.cloudfront.net/media/*.m3u8, which would grant access to all HLS playlist files within the media/ directory.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.

Published: 5/14/2026 / Updated: 5/14/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

API Gateway WebSocket API: Real-Time Apps Made Easy

API Gateway WebSocket API is a managed AWS service for persistent, bidirectional communication. Simplify real-time apps with Lambda. Learn when to use it.

API Gateway REST vs HTTP: How It Works & When to Use It

Amazon API Gateway offers REST APIs and HTTP APIs. Understand their differences, features, and pricing to choose the right one for your needs. Learn when to choose it.

AWS Global Accelerator: Improve App Performance & Availability

AWS Global Accelerator improves application availability and performance for users worldwide. Get static IPs, optimize traffic routing. Learn when to use it.

CloudFront OAC: How It Works & When to Use It

CloudFront Origin Access Control (OAC) restricts S3 bucket access to CloudFront distributions. Learn how it enhances security and when to use it.

AWS Data Transfer Costs: The Hidden Bill Explained (2026 Guide)

AWS data transfer pricing decoded: internet egress, cross-AZ, cross-region, NAT Gateway, VPC peering, CloudFront, and public IPv4. Avoid surprise bills with this guide.

View all Networking terms →