Replace Trusted Signer with Trusted Key Groups implemenation in Amazon CloudFront.

Author: leschan

1-Create_S3_Bucket/README.md

@@ -1,21 +1,22 @@
 ## Step 1: Create Amazon S3 Bucket
 
-In this step we will stage a private Amazon S3 bucket with a sample HTML file.
+In this step you will stage a private Amazon S3 bucket with a sample HTML file.
 
-**Note**: Use an IAM user account in this step for security best practices.
+**Note**: Amazon S3 routes any virtual hosted–style requests to the US East (N. Virginia) region by default if you use the US East (N. Virginia) endpoint (s3.amazonaws.com), When you create a new bucket, in any region, Amazon S3 updates DNS to reroute the request to the correct region, which might take time when using Amazon CloudFront for distribution in later section. For the purpose of this exercise, you will create a new bucket in AWS **region** `us-east-1`. Detailed explanation of **AWS Virtual hosting of buckets** is provided in [AWS User Guide](https://docs.aws.amazon.com/AmazonS3/latest/userguide/VirtualHosting.html).
 
 ### Create S3 Bucket
 1. Log into your AWS account and navigate to the [Amazon S3 Management Console](https://s3.console.aws.amazon.com/).
-2. Select **Create Bucket**.
-3. Provide **Bucket name** and select any **Region**.
-4. Leave everything as default.
-5. Select **Create bucket** to create the Bucket.
-6. Select the bucket you just created.
-7. Select **Upload**.
-8. Select **Add files**.
-9. Select the sample file `sample.html` from your computer.
-10. Select **Upload** to upload the file.
+2. Choose **Create Bucket**.
+3. Provide a name for **Bucket name**.
+4. Select **US East (N. Virginia) us-east-1** for **AWS Region** .
+5. Leave everything as default.
+6. Choose **Create bucket** to create the bucket.
+7. Choose the bucket you just created.
+8. Choose **Upload**.
+9. Choose **Add files**.
+10. Choose the included sample file `sample.html` from your local drive.
+11. Choose **Upload** to upload the file.
 
-We successfully created an Amazon S3 bucket and uploaded a sample HTML file. However if you try to access the sample HTML file using the S3 object URL, like `https://yourbucket.s3-us-west-2.amazonaws.com/sample.html`, in your browser you will get an access denied message. This is exactly what we want. We want to keep our S3 contents private and will only distribute them using an Amazon CloudFront distribution.
+You successfully created an Amazon S3 bucket and uploaded a sample HTML file. However if you try to access the sample HTML file using the S3 object URL, like `https://yourbucket.s3-us-west-2.amazonaws.com/sample.html`, in your browser you will get an access denied message. This is exactly what you want. You want to keep your S3 contents private and will only distribute them using an Amazon CloudFront distribution.
 
-In [Step 2](../2-Create_CloudFront_Distribution/README.md), we will create the Amazon CloudFront Distribution.
+In [Step 2](../2-Create_CloudFront_Distribution/README.md), you will create the Amazon CloudFront Distribution.

2-Create_CloudFront_Distribution/README.md

@@ -1,40 +1,38 @@
 ## Step 2: Create Amazon CloudFront Distribution
 
-In this step we will create an Amazon CloudFront distribution with your Amazon S3 bucket created in Step 1 as source. We will also restrict access to the bucket by using an [Origin Access Identity (OAI)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html).
-
-**Note**: Use an IAM user account in this step for security best practices.
+In this step you will create an Amazon CloudFront distribution with your Amazon S3 bucket created in Step 1 as source. You will also restrict access to the bucket by using an [Origin Access Identity (OAI)](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html).
 
 ### Create Distribution
 1. Log into your AWS account and navigate to the [Amazon CloudFront Management Console](https://console.aws.amazon.com/cloudfront).
-2. Select **Create Distribution**.
-3. Under Web, select **Get Started**.
-4. For **Origin Domain Name** select your Amazon S3 Bucket from Step 1.
-5. For **Restrict Bucket Access** select **Yes**.
-6. For **Origin Access Identity** select **Create a New Identity**.
-7. For **Grant Read Permissions on Bucket** select **Yes, Update Bucket Policy**. This will automatically add an Amazon Bucket policy to the your bucket allowing only this CloudFront distribution to read from the bucket.
-8. Leave everything else as default and select **Create Distribution**.
+2. Choose **Create Distribution**.
+3. Under Web, choose **Get Started**.
+4. For **Origin Domain Name** choose your Amazon S3 Bucket from Step 1.
+5. For **Restrict Bucket Access** choose **Yes**.
+6. For **Origin Access Identity** choose **Create a New Identity**.
+7. For **Grant Read Permissions on Bucket** choose **Yes, Update Bucket Policy**. This will automatically add an Amazon Bucket policy to the your bucket allowing only this CloudFront distribution to read from the bucket.
+8. Leave everything else as default and choose **Create Distribution**.
 9. In the distribution details screen, note the **Distribution Status**. Wait for the status to change from **In Progress** to **Deployed**. It can take upward of 5 minutes for the process to complete.
 10. Under **Domain Name** copy the FQDN, similar to `dxxxxxxxxxz.cloudfront.net`.
 
 ### Test Public Distribution
-We want to test to verify that the distribution is setup correctly and has access to the Amazon S3 contents.
+You want to test to verify that the distribution is setup correctly and has access to the Amazon S3 contents.
 
 Use your browser and enter the URL https://dxxxxxxxxxz.cloudfront.net/sample.html. Remember to replace the domain name with your FQDN. Your sample webpage should come up correctly. However, anyone with your URL can access your Amazon S3 contents.
 
 ### Secure Distribution
-Next we want to secure the Amazon CloudFront distribution to restrict public access.
-1. Select the **Distribution ID** to open the detail view.
-2. Select the **Behaviors** tab.
-3. Checkbox the default **Origin or Origin Group** and select **Edit**.
-4. Under **Restrict Viewer Access (Use Signed URLs or Signed Cookies)** select **Yes** to expand the **Trusted Key Groups or Trusted Signer** option.
-5. Under **Trusted Key Groups or Trusted Sign**, select **Trusted Signer**.
-6. Under **Trusted Signers** select **Self** if you are using the same AWS Account for both the CloudFront distribution and the CloudFront key pair, which we will create in the next step. Select **Specify Accounts** and enter the account number of another AWS Account that you will be using to create the CloudFront key pair.
-7. Select **Yes, Edit** to save the changes.
+Next you want to secure the Amazon CloudFront distribution to restrict public access.
+1. Choose the **Distribution ID** to open the detail view.
+2. Choose the **Behaviors** tab.
+3. Select the default **Origin or Origin Group** and choose **Edit**.
+4. Under **Restrict Viewer Access (Use Signed URLs or Signed Cookies)** choose **Yes** to expand the **Trusted Key Groups or Trusted Signer** option.
+5. Under **Trusted Key Groups or Trusted Signer**, select **Trusted Signer**. (Note: you will change this to **Trusted Key Groups** in later section.)
+6. Under **Trusted Signers** select **Self**.
+7. Choose **Yes, Edit** to save the changes.
 
 ### Test Secured Distribution
-Now we want to test to verify that the distribution is restricted. Refresh the webpage and you should see the error message:
+Now you want to test to verify that the distribution is restricted. Refresh the webpage and you should see the error message:
 > Missing Key-Pair-Id query parameter or cookie value
 
-In this step we created an Amazon CloudFront distribution to distribute your Amazon S3 private contents. We then secured the distribution by using the **Restrict Viewer Access** option.  
+In this step you created an Amazon CloudFront distribution to distribute your Amazon S3 private contents. You then secured the distribution by using the **Restrict Viewer Access** option.  
 
-In [Step 3](../3-Create_CloudFront_Keypair/README.md), we will create the **CloudFront Key Pair**
+In [Step 3](../3-Create_CloudFront_Key_Groups/README.md), you will create the **CloudFront Key Groups**

3-Create_CloudFront_Key_Groups/README.md

@@ -0,0 +1,53 @@
+## Step 3: Create CloudFront Key Group
+
+In this step you will create a trusted [CloudFront key group](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#choosing-key-groups-or-AWS-accounts). First you will create a public-private key pair. The key pair must meet the following requirements:
+- It must be an SSH-2 RSA key pair.
+- It must be in base64-encoded PEM format.
+- It must be a 2048-bit key pair.
+
+
+### Create Key Pair
+The following steps use OpenSSL as an example of one way to create a key pair. There are many other ways to create an RSA key pair.
+1. The following example command uses OpenSSL to generate an RSA key pair with a length of 2048 bits and save to the file named `private_key.pem`.
+```
+$ openssl genrsa -out private_key.pem 2048
+```
+2. The resulting file contains both the public and the private key. The following example command extracts the public key from the file named `private_key.pem` and save to the file named `public_key.pem`.
+```
+$ openssl rsa -pubout -in private_key.pem -out public_key.pem
+```
+
+### Upload Public Key
+1. On [Amazon CloudFront Management Console](https://console.aws.amazon.com/cloudfront)
+2. In the navigation menu, choose **Public keys**.
+3. Choose **Add public key**.
+4. In the **Add public key** window, do the following:
+  - For **Key name**, type a name to identify the public key.
+  - For **Key value**, copy and paste the contents of the public key. If you followed the steps in the preceding procedure, the public key is in the file named `public_key.pem`.
+  - (Optional) For **Comment**, add a comment to describe the public key.  
+
+  When finished, choose **Add**.
+5. Record the public key ID. You will use it later section.
+
+### Create Key group
+1. In the navigation menu, choose **Key groups**.
+2. Choose **Add key group**.
+3. On the **Create key group** page, do the following:
+ - For **Key group name**, type a name to identify the key group.
+ - (Optional) For **Comment**, type a comment to describe the key group.
+ - For **Public keys**, select the public key to add to the key group, then choose **Add**.
+4. Choose **Create key group**.
+
+### Associate Key group
+1. In the navigation menu, choose **Distributions**.
+2. Choose the **Distribution ID** link you created in Step 2.
+3. Choose the **Behaviors** tab.
+4. Select the cache behavior and then choose **Edit**.
+5. On the **Edit Behavior** page, do the following:
+ - For **Trusted Key Groups or Trusted Signer**, choose **Trusted Key Groups**.
+ - For **Trusted Key Groups**, choose the key group to add, and then choose **Add**.
+6. Choose **Yes, Edit** to update the cache behavior.
+
+In this step you generated a public-private key pair, created a CloudFront Key group with a public key, and associated the Key group to your CloudFront distribution.
+
+In [Step 4](../4-Create_Secrets_Manager/README.md) we will create a secret in **AWS Secrets Managers**.

3-Create_CloudFront_Keypair/README.md

@@ -1,25 +1,24 @@
 ## Step 4: Create Secrets Manager
 
-In this step we will create a secret in **AWS Secrets Manager**. Up to this point, we have used **Amazon S3**, **Amazon CloudFront**, and **Amazon IAM**, which are AWS global services. As **AWS Secrets Manager** and **AWS Lambda** are regional services, you will need to pick an AWS region.
-
-**Note**: Use an IAM user account in this step for security best practices.
+In this step you will create a secret in **AWS Secrets Manager**. Up to this point, you have used **Amazon S3** and **Amazon CloudFront**, which are AWS global services. As **AWS Secrets Manager** and **AWS Lambda** are regional services, you will need to pick an AWS **region** to use for the remainder of this sample.
 
 ### Create a Secret
-1. Log into your AWS account and navigate to the [AWS Secrets Manager Management Console](https://us-west-2.console.aws.amazon.com/secretsmanager).
-2. Select an AWS region.
-3. Select **Store a new secret**.
+1. Open the [AWS Secrets Manager Management Console](https://us-west-2.console.aws.amazon.com/secretsmanager).
+2. Select an AWS **region**.
+3. Choose **Store a new secret**.
 4. For **Select secret type**, select **Other type of secrets**.
 5. For **Specify the key/value pairs to be stored in this secret** select **Plaintext**.
-6. Copy your CloudFront private key to your clipboard and paste it into the text box.
-7. Select **Next**.
+6. Copy and paste the contents of the private key in the file named **private_key.pem** from previous step.
+7. Choose **Next**.
 8. For **Secret name**, provide a name.
-9. Select **Next**.
+9. Choose **Next**.
 10. Leave rotation as **Disable automatic rotation** as checked.
-11. Select **Next**.
-12. Select **Store**.
-13. Copy both the Secret Name and the Secret ARN, which we will need for the next step.
+11. Choose **Next**.
+12. Choose **Store**.
+13. Select your **Secret** to view the details.
+13. Record both the **Secret name** and **Secret ARN**. You will need them for the next step.
 
-In this step we configured **AWS Secrets Manager** to store the CloudFront private key to be consumed by a downstream client. Next we will configure an **AWS Lambda** function to generate CloudFront signed URLs. We provided steps for both CloudFront canned and custom polices.
+In this step you configured **AWS Secrets Manager** to store the CloudFront private key to be consumed by a downstream client. Next you will configure an **AWS Lambda** function to generate CloudFront signed URLs. We provide steps for both CloudFront canned and custom polices.
 
 [Step 5: Create CloudFront SignedURL with Canned Policy](../5-Create_CloudFront_SignedURL_Canned/README.md)  
 [Step 6: Create CloudFront SignedURL with Custom Policy](../6-Create_CloudFront_SignedURL_Custom/README.md)