<\/p>\n
How the Flow Works ?<\/p>\n
- \n
- User requests a file \u2192 Example: https:\/\/mycdn.com\/protected\/report.pdf<\/li>\n
- CloudFront Behavior matches \/protected\/* path \u2192 This behavior is configured with:\n
- \n
- Origin \u2192 S3 bucket (where your files live)<\/li>\n
- Lambda@Edge (Viewer Request trigger) \u2192 Runs before going to the origin to check authentication.<\/li>\n<\/ul>\n<\/li>\n
- Lambda@Edge checks for Cognito session cookie \u2192\n
- \n
- If no cookie \u2192 Redirect user to Cognito login page.<\/li>\n
- If cookie present \u2192 Validate it.<\/li>\n<\/ul>\n<\/li>\n
- User logs in via Cognito User Pool \u2192 Cognito verifies credentials.<\/li>\n
- Callback step: Once the user signs in, Cognito sends them over to the \/callback endpoint along with an authorization code. A second Lambda@Edge runs here, exchanges the code (or simulates it in your code), sets a session cookie, and then redirects the user back to the \/protected\/* path.<\/li>\n
- Lambda@Edge validates the request again \u2192 Now sees the user is authenticated.<\/li>\n
- CloudFront forwards the request to S3 Origin \u2192 Fetches the actual file (report.pdf).<\/li>\n
- User gets the file securely \u2192 File is delivered via CloudFront only after passing Cognito login.<\/li>\n<\/ul>\n
<\/p>\n
To make this use case follow the below steps<\/p>\n
<\/p>\n
1. Create cloudfront distrbution.<\/h1>\n
![\"CDN](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-13-54-18-1024x435.png\")
1.CDN<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
1.1. Create origin as s3 bucket where actual file which need to be delivered is placed.<\/h1>\n
![\"Origin\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-13-58-18.png\")
1.1 CDN Origin<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
1.2. Create two behavior for CDN<\/h1>\n
![\"Behavior\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-14-01-18-1024x52.png\")
1.2 CDN Behavior<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
1.3. For the first behavior, set the path pattern to \/callback*, point the origin to the S3 bucket where your files are stored, and attach an Origin Request Lambda@Edge function: arn:aws:lambda:us-east-1:051826723812:function:cognito-s3:34<\/h1>\n
![\"callback\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-14-11-56-1024x181.png\")
1.3 Callback Behavior<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
1.4. For the second behavior, configure the path pattern as \/protected\/*, use the same S3 bucket as the origin, and attach a Viewer Request Lambda@Edge function:arn:aws:lambda:us-east-1:051826723812:function:cognito-s3:33<\/h1>\n
![\"1.4](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-14-15-38-1024x181.png\")
1.4 Protected Behavior<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
2. Use AWS Cognito services to create user pool and app client<\/h1>\n
User Pool –<\/p>\n
![\"User](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-14-32-00-1024x215.png\")
2.User Pool<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
App Client-<\/p>\n
Create User with email ID who want to access file we can create a common group email and whole team can use that to authenticate themselves while accessing the file . Make a note of Client ID , User pool ID and set Allowed callback URL (set it as <CDN URL\/<behavior used for callback>>) these will be used in lambda edge code<\/p>\n
![\"2.1.](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-14-35-14-1024x531.png\")
2.1. app-client<\/p><\/div>\n
<\/p>\n
<\/p>\n
![\"2.3](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-19-33-29-1024x166.png\")
2.2 Cognito-User-Creation<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
3. Create Two lambda edge function used in CDN behavior above<\/h1>\n
First Lambda Code used in protected CDN behavior<\/strong><\/p>\n
import urllib.parse<\/p>\n
# ===== CONFIG =====
\nCOGNITO_REGION = “ap-south-1”
\nAPP_CLIENT_ID = “2nlgjvvk6a6lj21n0t67fq1itj”
\nAPP_CLIENT_SECRET = “lt4m91rbgqvovb5p1vkpbuje4vabibtikrslbd1ssngg8nut4s5”
\nCOGNITO_DOMAIN = “https:\/\/ap-south-1edktvejzx.auth.ap-south-1.amazoncognito.com”
\nREDIRECT_URI = “https:\/\/d21wc134unren9.cloudfront.net\/callback”
\nPROTECTED_URI =”\/protected\/S3_Cost_Optimization_Summary.xlsx_0.ods”
\ndef lambda_handler(event, context):
\nrequest = event[‘Records’][0][‘cf’][‘request’]
\nheaders = request.get(‘headers’, {})<\/p>\nprint(“DEBUG: Incoming request URI:”, request[‘uri’])<\/p>\n
# Check if request is for the protected path
\nif request[‘uri’].startswith(PROTECTED_URI):
\nprint(“DEBUG: Protected path requested”)
\n# Check for session cookie
\ncookies = headers.get(‘cookie’, [])
\nhas_session = any(‘CognitoAuthSession’ in cookie[‘value’] for cookie in cookies)<\/p>\nif not has_session:
\n# Redirect to Cognito login
\nlogin_url = (
\nf”{COGNITO_DOMAIN}\/login?”
\nf”client_id={APP_CLIENT_ID}&”
\nf”redirect_uri={urllib.parse.quote(REDIRECT_URI)}&”
\nf”response_type=code&”
\nf”scope=openid+email+phone”
\n)
\nprint(“DEBUG: No session found, redirecting to Cognito login:”, login_url)
\nreturn {
\n‘status’: ‘302’,
\n‘statusDescription’: ‘Found’,
\n‘headers’: {
\n‘location’: [{‘key’: ‘Location’, ‘value’: login_url}]
\n}
\n}
\nelse:
\nprint(“DEBUG: Session cookie found, allowing access”)
\nelse:
\nprint(“DEBUG: Non-protected URI, passing through”)<\/p>\nreturn request<\/p><\/blockquote>\n
Second Lambda Edge code used in callback CDN behavior<\/strong><\/p>\n
<\/p>\n
import urllib.parse
\nimport base64<\/p>\n# ===== CONFIG =====
\nCOGNITO_REGION = “ap-south-1”
\nAPP_CLIENT_ID = “2nlgjvvk6a6lj21n0t67fq1itj”
\nAPP_CLIENT_SECRET = “lt4m91rbgqvovb5p1vkpbuje4vabibtikrslbd1ssngg8nut4s5”
\nCOGNITO_DOMAIN = “https:\/\/ap-south-1edktvejzx.auth.ap-south-1.amazoncognito.com”
\nREDIRECT_URI = “https:\/\/d21wc134unren9.cloudfront.net\/callback”
\n=PROTECTED_URI =”\/protected\/S3_Cost_Optimization_Summary.xlsx_0.ods”<\/p>\ndef lambda_handler(event, context):
\nrequest = event[‘Records’][0][‘cf’][‘request’]
\nquerystring = request.get(‘querystring’, ”)<\/p>\nprint(“DEBUG: Callback request received, querystring:”, querystring)<\/p>\n
params = urllib.parse.parse_qs(querystring)
\ncode = params.get(‘code’, [None])[0]<\/p>\nif not code:
\nprint(“DEBUG: No auth code found in querystring, passing request through”)
\nreturn request<\/p>\nprint(“DEBUG: Auth code received:”, code)<\/p>\n
# Dummy session cookie (for testing)
\nsession_cookie = base64.b64encode(code.encode()).decode()<\/p>\nprint(“DEBUG: Setting session cookie and redirecting to protected URI:”, PROTECTED_URI)
\nreturn {
\n‘status’: ‘302’,
\n‘statusDescription’: ‘Found’,
\n‘headers’: {
\n‘location’: [{‘key’: ‘Location’, ‘value’: PROTECTED_URI}],
\n‘set-cookie’: [{
\n‘key’: ‘Set-Cookie’,
\n‘value’: f’CognitoAuthSession={session_cookie}; Path=\/; Secure; HttpOnly’
\n}]
\n}
\n}<\/p>\n<\/p><\/blockquote>\n
4. Create s3 bucket with below sample object path this should be align with cloudfront and lamdba edge code . In our use case we created S3 bucket s3:\/\/otp-frontend-shubham<\/em> <\/strong><\/span>and inside it we created a path protected\/\u00a0 <\/strong><\/span>inside which there is actual file that we need to share to to end user.<\/h1>\n
![\"S3-config\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-18-35-25-1024x316.png\")
S3-config<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
![\"S3-Object-Path\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-18-36-09-1024x316.png\")
S3-Object-Path<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
5. Final Testing<\/strong><\/h1>\n
Let\u2019s assume we have a file placed in the above S3 path on a daily basis. An automation job runs at a fixed time, generates the file, and uploads it to the S3 bucket.<\/p>\n
In a real-world scenario, the file name could include a timestamp or date (e.g., file_name09052025). In such cases, we can enhance the Lambda code to always pick the latest file and generate a CDN URL for it, which can then be shared with the end users via email.<\/p>\n
For simplicity in this demo, I am using a static file named S3_Cost_Optimization_Summary.xlsx_0.ods<\/strong>, already placed in the S3 bucket, and sharing its CDN URL directly with the end user.<\/p>\n
End users will try to access the file via this URL:<\/p>\n
https:\/\/d21wc134unren9.cloudfront.net\/protected\/S3_Cost_Optimization_Summary.xlsx_0.ods<\/span><\/em><\/p>\n
Since the user is not logged in, their first request to the URL will be intercepted and redirected to the Cognito login page for authentication.<\/p>\n
![\"cognito-login-page\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-19-48-32-1024x536.png\")
cognito-login-page.Enter the user name and password for the user created in user pool of congnito services<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
![\"cognito-login-username\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-19-50-15.png\")
cognito-login-username<\/p><\/div>\n
![\"cognito-password-page\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-19-52-30-1024x641.png\")
cognito-password-page<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
![\"file-downloaded\"](\"https:\/\/www.tothenew.com\/blog\/wp-ttn-blog\/uploads\/2025\/09\/Screenshot-from-2025-09-05-19-54-41-1024x182.png\")
file-downloaded<\/p><\/div>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
<\/p>\n
Conclusion<\/strong><\/h1>\n
In this setup we walked through how S3, CloudFront, Cognito, and Lambda@Edge can work together to lock down access to files. Instead of handing out public links, the content now sits safely behind a login page, and only the right users can fetch it. The best part is you still get the speed of a CDN along with strong access control. It\u2019s a simple pattern you can reuse whenever you need to share files securely without exposing your bucket.<\/p>\n
Thanks for reading till the end \u2014 I hope you walk away with something practical to apply<\/em><\/strong><\/p>\n
<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"In this blog, I will walk you through the steps to secure access to S3 objects using Amazon CloudFront (CDN) integrated with Amazon Cognito authentication. The goal is to move away from easily shareable pre-signed URLs and instead enforce user in cognito user pool based, authenticated access. For example, a team may need to access […]<\/p>\n","protected":false},"author":2172,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":120},"categories":[5877],"tags":[248,2645,1545,670],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/75632"}],"collection":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/users\/2172"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/comments?post=75632"}],"version-history":[{"count":34,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/75632\/revisions"}],"predecessor-version":[{"id":76129,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/posts\/75632\/revisions\/76129"}],"wp:attachment":[{"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/media?parent=75632"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/categories?post=75632"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.tothenew.com\/blog\/wp-json\/wp\/v2\/tags?post=75632"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}