Menu
I am looking for an answer at a conceptual level. So please refrain from simply providing a link to Aws documentation as an answer.
It is how a canned policy is generated by boto
@staticmethod
def _canned_policy(resource, expires):
"""
Creates a canned policy string.
"""
policy = ('{"Statement":[{"Resource":"%(resource)s",'
'"Condition":{"DateLessThan":{"AWS:EpochTime":'
'%(expires)s}}}]}' % locals())
return policy
And it is how custom policy is generated by the same library
@staticmethod
def _custom_policy(resource, expires=None, valid_after=None, ip_address=None):
"""
Creates a custom policy string based on the supplied parameters.
"""
condition = {}
# SEE: http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/RestrictingAccessPrivateContent.html#CustomPolicy
# The 'DateLessThan' property is required.
if not expires:
# Defaults to ONE day
expires = int(time.time()) + 86400
condition["DateLessThan"] = {"AWS:EpochTime": expires}
if valid_after:
condition["DateGreaterThan"] = {"AWS:EpochTime": valid_after}
if ip_address:
if '/' not in ip_address:
ip_address += "/32"
condition["IpAddress"] = {"AWS:SourceIp": ip_address}
policy = {"Statement": [{
"Resource": resource,
"Condition": condition}]}
return json.dumps(policy, separators=(",", ":"))
To my mind, a canned policy is essentially a custom policy but with fewer attributes.
If it is a correct observation, then why the need for two different policies?
972
A signed URL is a URL that provides limited permission and time to make a request. Signed URLs contain authentication information in their query string, allowing users without credentials to perform specific actions on a resource.
The signed URL allows the user to download or stream the content. This step is automatic; the user usually doesn't have to do anything additional to access the content. For example, if a user is accessing your content in a web browser, your application returns the signed URL to the browser.
Allowed HTTP methods CloudFront supports GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE to get, add, update, and delete objects, and to get object headers. CloudFront only caches responses to GET and HEAD requests and, optionally, OPTIONS requests.
Explanation: A mechanism for restricting access to content served through a distribution is provided by CloudFront signed URLs. It limits who can view the content, in contrast to the Origin Access Identity.
Yes, a canned policy can convey only a specific subset of the attributes of a custom policy, but the distinction between the two is more significant.
When you use a canned (pre-defined) policy, the contents of the resulting canned policy document are so deterministic and predictable -- from the elements of the request, itself -- that the policy document doesn't even need to be sent to CloudFront along with the request.
Instead, it's generated locally so that you can sign it, but then it's discarded. The server generates the identical document based on the request parameters, and validates the signature.
By contrast, with a custom policy, the policy document itself is sent with the request, base-64 encoded, in &Policy= in the URL. This makes the URL longer, since the policy document has to be sent along, but the policy document itself is now allowed to contain elements that can't be simply extrapolated from the request by simple examination.
Canned policies, then, are (at least to some extent) more "lightweight" -- shorter URLs mean fewer bytes included in the request, and somewhat less processing needed to use them, but they have less flexibility than custom policies.
Comparison matrix: Using signed URLs @ docs.aws.amazon.com
75
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
