Saturday, October 27, 2012

How to Configure Private CloudFront Distribution with CrossFTP

Private CloudFront distribution is a good way to securely distribute the private download/streaming contents with Amazon CloudFront.

CrossFTP fully supports the private CloudFront distribution. To enable Private distribution, you can select a bucket, and right click to choose CloudFront -> Manage CloudFront Distributions..., and you can see a list of existing CloudFront distributions for the bucket, as shown in the Fig. 1.
 Fig. 1. CloudFront List Dialog

Create/Update the Private CloudFront Distribution

You can create a new CloudFront distribution by press the "New" button, or update an existing CloudFront distribution by press the "Edit" button. You can fill in the CloudFront distribution's basic information in the General Tab. 
To enable the private CloudFront distribution, you should choose the "Private Content" tab, and toggle the "Enable Private Distribution" button, as shown in Fig. 2.

 Fig. 2. Enable Private Distribution
There may be a few concepts new for you in this dialog:
  • Original Access Identity: this is a "virtual" user that is used for managing permissions that represents the private CloudFront distribution.
  • S3 Canonical User ID:  Associated with the Origin Access Identity, this is the user ID that you can use in ACL/permission setting dialog to grant permissions for the distribution. If you want to use distribution to share the contents, you need firstly to grant this ID the read permission in ACL/permission setting dialog.
  • Trusted Signers: Only trusted signers are allowed to sign the distribution URL in S3. If you want to sign the private distribution URL for the download/streaming, you should at least add one trust signer, for example, by toggle "Add Myself as a Trusted Signer".
    To find your account number, go to Your Account | Account Activity on AWS website, and look for the Account Number.

Grant the Permission for the Original Access Identity

You have to grant Read access to CloudFront Origin Access Identity account to make the files available for Private Distribution. 
To do this, two approaches are possible:
  • Grant the read permission for the S3 Canonical User ID. Copy the S3 Canonical User ID as shown in Fig. 2., and add that user the read permission for the S3 object by right click on the object, and choose "ACL Setting...", as shown in the Fig. 3.

Fig. 3. Add S3 Canonical User ID with Read Permission 
  • Or you can configure the Bucket Policy to always grant Read access to Origin Access Identity, by right click on the Bucket, and choose "Bucket Policy..." to set up the policy.
This feature is available for CrossFTP Pro 1.86.2 or later.
CrossFTP is a FTP and Amazon S3 client for Windows, Mac, and Linux.

No comments: