Signed URLs, Signed Cookies, and Geo-Restriction
Restrict premium content access using signed URLs and cookies, and block users from specific countries with geo-restriction.
Restricting CloudFront Content Access
By default, CloudFront serves content to any viewer who knows the URL. For premium or private content—video courses, paid software downloads, member-only resources—you need to restrict access so only authorised users can retrieve it.
CloudFront provides two mechanisms for authorised access: Signed URLs (one URL grants access to one specific object) and Signed Cookies (a set of cookies grants access to multiple objects matching a path pattern). Both use cryptographic signatures generated with an RSA key pair.
CloudFront Signed URLs
A Signed URL is a CloudFront URL that includes a cryptographic signature encoding an expiry time and optionally an IP address restriction. The URL is only valid until its expiry and only from the allowed IP (if specified). After expiry, CloudFront returns a 403 Forbidden.
Signed URLs are best for: granting a single user access to one specific file (e.g., a generated PDF report), time-limited download links, or when the client cannot set cookies (e.g., mobile apps or RTMP streaming).
# Generate a signed URL using AWS CLI (requires a CloudFront key pair)
aws cloudfront sign \
--url https://d1234abcdef.cloudfront.net/premium/video.mp4 \
--key-pair-id APKA1234567890 \
--private-key file://private-key.pem \
--date-less-than 2026-06-21T00:00:00ZAll lessons in this course
- CloudFront Distributions and Origins
- Cache Behaviors and TTL Settings
- Signed URLs, Signed Cookies, and Geo-Restriction
- CloudFront with WAF and Lambda@Edge