         | Did this page help you? Yes No Tell us about it... |
Using a Signed URL to Serve Private Content
Topics
For many companies that distribute data via the Internet, it is important to restrict access to documents, business data, media streams, or content intended for users who have paid a fee. You can use CloudFront private distributions to restrict access to data in Amazon S3 buckets. This section describes how a private distribution is different from a public distribution, describes how to create a private distribution, and provides links to sample code you might find helpful when creating your signed URL.
![[Important]](http://docs.amazonwebservices.com/docs-common/images/important.png) | Important |
|---|---|
You can use a signed URL to distribute content from a custom origin. However, for CloudFront to access your objects on your custom origin, the objects must remain publicly accessible. As a result, anyone who has the URL for an object on your custom origin can access the object without the protection provided by CloudFront signed URLs. If you use signed URLs with custom origins, do not give the URLs for the objects on your custom origin to your customers or to others outside your organization. For more information about origin servers for download distributions, see Origins. For more information about origin servers for streaming distributions, see Using an Amazon S3 Bucket as the Origin for a Streaming Distribution. |
Static Signed URLs vs. Dynamic Signed URLs
You can distribute private content with a static signed URL or a dynamic signed URL. You use a static signed URL when distributing private content to a known end user, such as distributing a business plan to an investor, or distributing training materials to employees. In this case, you create a signed URL and make the URL available to your end users as needed. You use a dynamic signed URL to distribute content on-the-fly to an end user for a limited purpose, such as distributing movie rentals or music downloads to customers on demand. In this case, your application generates the signed URL.
To integrate signed URL creation into your application for dynamic, on-the-fly signed URL generation, follow the procedures described in this section. However, to avoid coding, and yet distribute content to an end user for a limited purpose without dynamic signed URL creation, you can try creating a CloudFront private distribution using one of the third-party GUI tools listed in GUI Tools for Signature Generation.
