Reputation: 551
Is it possible to invalidate or revoke an AWS Cloudfront Signed URL after it has been created?
Is it possible to invalidate or revoke an AWS Cloudfront Signed URL after it has been created?
We want to be able to revoke a signed URL on-demand, not necessarily when a preset timeout happens.
Upvotes: 6
Views: 3962
Answers (2)
Reputation: 101
It is possible to revoke pre-signed urls created using a role, but I am not sure if this works for your scenario.
- Create a role which has a policy with 's3:GetObject' permission. Here is how the policy would look like.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::<bucket-name>/*" } ] } - Assume this role to create a pre-signed url
- If you want to revoke the pre-signed url just delete the role and it should work.
Drawback with this approach is that if we delete the role all the pre-signed urls created using the role will not work anymore.
Upvotes: 2
Reputation: 36063
No, it's not possible to revoke a pre-signed URL. The credentials embedded in the URL are temporary credentials linked to the credentials used to create the pre-signed URL.
The closest thing you could do is either:
- Delete or rename the object being requested by the pre-signed URL, or
- Delete the access keys used to create the pre-signed URL.
However, depending on your use-case, neither of those may be viable options.
Upvotes: 8
Related Questions
- Create CloudFront distribution that accepts only signed URL’s with serverless
- AWS Cloudfront Signed Url with Unsigned Query Parameters
- Cloudfront Invalidation for custom origin root
- S3-backed CloudFront and signed URLs
- CloudFront signed URLs break client caching
- AWS cloudfront invalidation with OriginPath
- Understanding AWS CloudFront signed URL
- Can CloudFront be used to create a one time use url?
- Amazon cloudfront how to set signed url outdated if used one time
- Can I use signed and unsigned urls on the same Cloudfront distribution?