In this example we provide step-by-step instructions to create Amazon CloudFront Signed URLs with both canned and custom policies using:
- AWS Lambda (Node.js 24.x) as the execution tool
- AWS Secrets Manager to manage the private signing key for security best practices
- Amazon S3 as a restricted content source
The Lambda functions use the AWS SDK for JavaScript v3 (bundled in the Lambda runtime) and Node.js's built-in crypto module to generate signed URLs — no additional packages or local tooling required.
Detailed information about:
What you will need:
- An AWS account with an IAM user
- Working knowledge of Amazon IAM, S3, CloudFront, Secrets Manager, and Lambda
Please start with Step 1 to begin the exercise.
Step 1: Create Amazon S3 Bucket
Step 2: Create Amazon CloudFront Distribution
Step 3: Create Amazon CloudFront Key Groups
Step 4: Create AWS Secrets Manager
Step 5: Create AWS CloudFront SignedURL with Canned Policy
Step 6: Create AWS CloudFront SignedURL with Custom Policy