Learn how to serve content hosted on Amazon Web Service (AWS) S3 through our CDN.
Recommended setup:
Create a customer origin configuration.
Will either an edge CNAME configuration or requests to this customer origin reference the AWS S3 bucket name? Learn more.
Request AWS S3 integration from your CDN account manager.
Make sure to have key CDN and AWS S3 setup information on hand when submitting this request.
An alternative to the above procedure is to make the desired AWS S3 content public and then create a customer origin configuration that points to the AWS S3 origin server (e.g., BucketName.s3.amazonaws.com).
This document assumes that you have already established an Amazon Web Services account.
It is recommended that you segregate and secure content that should be delivered through the CDN from other private content. This can be accomplished by performing the following:
Create a security policy.
To create a bucket
In the Bucket Name option, specify the desired name.
The specified name must be unique across all AWS customer accounts.
From the Services menu, select IAM.
The Identity and Access Management service allows you to define a security policy for all AWS services, including S3.
Mark the AmazonS3ReadOnlyAccess policy template. This policy template contains the only permissions required by our CDN:
"s3:Get*",
"s3:List*",
Upload a small text file to it by performing the following steps:
By default, AWS S3 marks all uploaded content as private. Private content can only be requested through the use of a signed URL. The URL generated by the above procedure is not a signed URL and therefore it cannot be used to request your content. However, our personnel can generate a signed URL from it by leveraging the provided AWS user account credentials.
The next step in the integration of the AWS S3 storage solution with our CDN service is to create a customer origin configuration that points to AWS S3.
Key information:
Determine whether the client will be allowed to request content via HTTP, HTTPS, or both.
The desired AWS S3 hostname must be defined in the Hostname or IP Address option and the HTTP Host Header option.
The AWS S3 hostname that should be used varies according to the following factors:
Will the AWS S3 bucket name be referenced by the customer origin, edge CNAME, or in the request?
Regardless of whether clients will be allowed to make HTTPS requests, make sure to use the HTTPS protocol when defining the hostname (e.g., https://s3.amazonaws.com).
Make sure that the AWS S3 bucket name is referenced by one of the following components:
Edge CNAME's relative path
If your links do not already reference the AWS S3 bucket name, then the easiest setup is to either include the AWS S3 bucket name in a customer origin or edge CNAME configuration.
Referencing the AWS S3 bucket name by more than one component will result in an invalid configuration.
The following sample scenarios demonstrate valid configurations.
Customer OriginIndicates the host header defined in a customer origin configuration. | Edge CNAME's Relative Path | Request |
---|---|---|
mybucket.s3.amazonaws.com |
[Blank] |
https://cdn.mydomain.com/marketing/ad.pdf |
s3.amazonaws.com |
/mybucket |
https://cdn.mydomain.com/marketing/ad.pdf |
s3.amazonaws.com |
[Blank] |
https://cdn.mydomain.com/mybucket/marketing/ad.pdf |
The following sample scenarios will either generate a 403 Forbidden or a 404 Not Found.
Customer OriginIndicates the host header defined in a customer origin configuration. | Edge CNAME's Relative Path | Invalid Request |
---|---|---|
s3.amazonaws.com |
[Blank] |
https://cdn.mydomain.com/marketing/ad.pdf |
s3.amazonaws.com |
/mybucket |
https://cdn.mydomain.com/mybucket/marketing/ad.pdf |
mybucket.s3.amazonaws.com |
[Blank] |
https://cdn.mydomain.com/mybucket/marketing/ad.pdf |
mybucket.s3.amazonaws.com |
/mybucket |
https://cdn.mydomain.com/marketing/ad.pdf |
Our edge servers must provide authentication information when communicating with AWS servers. This authentication information consists of your AWS KI (Key ID) and SAK (Secret Access Key). This authentication information is sensitive and should not be broadcasted as unencrypted text. Therefore, it is important to ensure that your customer origin is configured to only use HTTPS when communicating with AWS servers. This type of configuration will encrypt the request/response between the edge server and the AWS server. As a result, your AWS KI and SAK will be encrypted as well.
Ensure end-to-end encryption of the request/response by performing the following steps:
Prepare for HTTPS delivery by requesting a TLS certificate
Configure your customer origin configuration to only use HTTPS.
Enable the customer origin's HTTPS Edge Protocol option and point it to the desired AWS S3 hostname.
Use the HTTPS protocol when defining this hostname.
Sample hostnames:
https://s3.amazonaws.com
https://BucketName.s3.amazonaws.com
Create an edge CNAME configuration that points to the customer origin configuration configured above. Add or update a CNAME record via your DNS service provider.
Learn more.
Requests to AWS S3 content via our CDN service will not be honored until our personnel has configured your customer origin to authenticate requests.
As previously mentioned, a custom configuration will be applied to your customer origin to automatically authenticate all requests to AWS S3 origin servers. Before this integration process can take place, you will need to provide the following information to your CDN account manager:
AWS Credentials for the user created in the To define a security policy procedure. Please either provide credentials.csv or the following information:
Links to AWS S3 content should not be made publicly available until CDN personnel have added AWS S3 support to the corresponding customer origin.
The syntax for links to AWS S3 content varies according to the component where the AWS S3 bucket name is defined. The syntax for each supported configuration is provided below.
This section applies to a customer origin whose Host header includes the AWS S3 bucket name (e.g., mybucket.s3.awsamazon.com). Link to AWS S3 content using a standard CDN or edge CNAME URL.
Sample CDN URL (HTTP):
http://wpcIdentifies the HTTP Large platform..0001Represents your customer account number..omegacdn.net/80Indicates that content from a customer origin server is being requested.0001Represents your customer account number./marketingRepresents the name of the customer origin./campaign/asset.png
Sample Edge CNAME URL (HTTPS):
https://cdn.mydomain.com/campaign/asset.png
This section applies to an edge CNAME whose relative path has been set to the AWS S3 bucket name (e.g., /mybucket). Link to AWS S3 content using a standard edge CNAME URL.
Sample Edge CNAME URL (HTTPS):
https://cdn.mydomain.com/campaign/asset.png
This section applies to requests that will directly reference the AWS S3 bucket name (e.g., /mybucket). Link to AWS S3 content using a CDN or edge CNAME URL that includes the bucket name.
Sample CDN URL (HTTP):
http://wpcIdentifies the HTTP Large platform..0001Represents your customer account number..omegacdn.net/80Indicates that content from a customer origin server is being requested.0001Represents your customer account number./marketingRepresents the name of the customer origin./mybucketRepresents the name of the AWS S3 bucket./campaign/asset.png
Sample Edge CNAME URL (HTTPS):
https://cdn.mydomain.com/mybucketRepresents the name of the AWS S3 bucket./campaign/asset.png