Create cloudfront-s3-signed-cookies-cognito.json

marcojahn · web-flow · commit 9ab5c0c35bed · 2026-03-19T14:01:49.000+01:00
added cloudfront-s3-signed-cookies-cognito.json
diff --git a/cloudfront-s3-signed-cookies-cognito/cloudfront-s3-signed-cookies-cognito.json b/cloudfront-s3-signed-cookies-cognito/cloudfront-s3-signed-cookies-cognito.json
@@ -0,0 +1,125 @@
+{
+    "title": "Amazon CloudFront signed cookies with Amazon Cognito using Python CDK",
+    "description": "Implement Amazon CloudFront signed cookies for private Amazon S3 content access with Amazon Cognito user authentication using AWS CDK with Python.",
+    "language": "Python",
+    "level": "300",
+    "framework": "AWS CDK",
+    "introBox": {
+        "headline": "How it works",
+        "text": [
+            "This pattern creates a secure content delivery solution using CloudFront signed cookies. Users authenticate through Amazon Cognito via API Gateway Lambda functions.",
+            "Upon successful login, the Lambda function generates CloudFront signed cookies that grant time-limited access to private S3 content behind the CloudFront distribution.",
+            "The CloudFront distribution uses Origin Access Control (OAC) to securely access private S3 content. Public content is accessible without authentication, while private content requires valid signed cookies.",
+            "The signed cookies use RSA key pairs, with the private key stored securely in AWS Secrets Manager and the public key configured in a CloudFront Key Group."
+        ]
+    },
+    "gitHub": {
+        "template": {
+            "repoURL": "https://github.com/aws-samples/serverless-patterns/tree/main/cloudfront-s3-signed-cookies-cognito",
+            "templateURL": "serverless-patterns/cloudfront-s3-signed-cookies-cognito",
+            "projectFolder": "cloudfront-s3-signed-cookies-cognito",
+            "templateFile": "app.py"
+        }
+    },
+    "resources": {
+        "bullets": [
+            {
+                "text": "Serving private content with signed URLs and signed cookies",
+                "link": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html"
+            },
+            {
+                "text": "Using CloudFront signed cookies",
+                "link": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html"
+            },
+            {
+                "text": "Amazon Cognito User Pools",
+                "link": "https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools.html"
+            },
+            {
+                "text": "Restricting access to Amazon S3 content by using an origin access control",
+                "link": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html"
+            }
+        ]
+    },
+    "deploy": {
+        "text": [
+            "cdk deploy"
+        ]
+    },
+    "testing": {
+        "text": [
+            "See the GitHub repo for detailed testing instructions."
+        ]
+    },
+    "cleanup": {
+        "text": [
+            "Delete the stack: <code>cdk destroy</code>."
+        ]
+    },
+    "services": {
+        "from": {
+            "serviceName": "Amazon API Gateway",
+            "serviceURL": "/api-gateway/"
+        },
+        "to": {
+            "serviceName": "Amazon CloudFront",
+            "serviceURL": "/cloudfront/"
+        }
+    },
+    "patternArch": {
+        "icon1": {
+            "x": 15,
+            "y": 70,
+            "service": "apigw",
+            "label": "Amazon API Gateway"
+        },
+        "icon2": {
+            "x": 38,
+            "y": 70,
+            "service": "lambda",
+            "label": "AWS Lambda"
+        },
+        "icon3": {
+            "x": 58,
+            "y": 30,
+            "service": "cognito",
+            "label": "Amazon Cognito"
+        },
+        "icon5": {
+            "x": 68,
+            "y": 70,
+            "service": "cloudfront",
+            "label": "Amazon CloudFront"
+        },
+        "icon6": {
+            "x": 88,
+            "y": 70,
+            "service": "s3",
+            "label": "Amazon S3"
+        },
+        "line1": {
+            "from": "icon1",
+            "to": "icon2"
+        },
+        "line2": {
+            "from": "icon2",
+            "to": "icon3"
+        },
+        "line4": {
+            "from": "icon2",
+            "to": "icon5"
+        },
+        "line5": {
+            "from": "icon5",
+            "to": "icon6"
+        }
+    },
+    "patternType": "Serverless",
+    "authors": [
+        {
+            "name": "Matia Rasetina",
+            "bio": "Senior Software Engineer @ Elixirr Digital",
+            "linkedin": "in/matiarasetina/"
+        }
+    ]
+}
