Amazon Web Services S3 Origin Setup

Learn how to serve content hosted on Amazon Web Service (AWS) S3 through our CDN.

Recommended setup:

  1. Prepare your AWS S3 storage account for use with our CDN services.
  2. Create a customer origin configuration.

    Will either an edge CNAME configuration or requests to this customer origin reference the AWS S3 bucket name? Learn more.

    • Yes: Point the customer origin to: s3.amazonaws.com.
    • No: Point the customer origin to: BucketName.s3.amazonaws.com.
  3. Request AWS S3 integration from your CDN account manager.

    Make sure to have key CDN and AWS S3 setup information on hand when submitting this request.

  4. Update links to AWS S3 content to use a CDN or edge CNAME URL.

An alternative to the above procedure is to make the desired AWS S3 content public and then create a customer origin configuration that points to the AWS S3 origin server (e.g., BucketName.s3.amazonaws.com).

Amazon Web Service Setup

This document assumes that you have already established an Amazon Web Services account.

It is recommended that you segregate and secure content that should be delivered through the CDN from other private content. This can be accomplished by performing the following:

  1. Create a bucket that will contain content delivered through the CDN.
  2. Create a security policy.

    1. Create a read-only group through the IAM service.
    2. Create a user and assign it to the read-only group.
    3. Download the new user's credentials.
  3. Upload an asset to the bucket and then generate a URL through which our personnel will be able to verify that AWS S3 has been properly configured with our CDN.

To create a bucket

  1. Log in to the AWS Management console and select S3.
  2. Click Create Bucket to start a wizard through which you will create a bucket that will host CDN content.
  3. In the Bucket Name option, specify the desired name.

    The specified name must be unique across all AWS customer accounts.

  4. In the AWS Region option, select the location where your bucket will reside.
  5. Click Create.

To define a security policy

  1. From the Services menu, select IAM.

    The Identity and Access Management service allows you to define a security policy for all AWS services, including S3.

  2. Click the Groups menu from the side navigation bar.
  3. Click Create New Group to start the Create New Group Wizard.
  4. In the Group Name option, define the name of the read-only group that will be created.
  5. Click Next Step.
  6. Mark the AmazonS3ReadOnlyAccess policy template. This policy template contains the only permissions required by our CDN:

    "s3:Get*",

    "s3:List*",

  7. Click Next Step.
  8. Click Create Group.
  9. Click Users from the side navigation bar.
  10. Click Add user.
  11. In the User name option, type the name of the user through which our CDN will request content from AWS S3. This should be a dedicated user that is only used for this purpose.
  12. Mark the Programmatic access option.
  13. Click Next: Permissions.
  14. Mark the previously created group.
  15. Click Next: Tags.
  16. Click Next: Review.
  17. Click Create user.
  18. Click Download .csv and save the new user's credentials.
  19. Verify that the CSV file contains the credentials for the user account created in this procedure. These credentials are required to integrate AWS S3 with our CDN service and will need to be sent to our personnel.

To generate a test URL

  1. From the Services menu, select S3.
  2. Open the recently created bucket by clicking on it.
  3. Upload a small text file to it by performing the following steps:

    1. Click Upload.
    2. Click Add Files.
    3. Browse to and then select the desired text file.
    4. Click Open.
    5. Click Upload.
  4. Open the recently uploaded text file.
  5. Note the object URL provided on that page. This URL will need to be provided to our personnel.

By default, AWS S3 marks all uploaded content as private. Private content can only be requested through the use of a signed URL. The URL generated by the above procedure is not a signed URL and therefore it cannot be used to request your content. However, our personnel can generate a signed URL from it by leveraging the provided AWS user account credentials.

CDN Setup

The next step in the integration of the AWS S3 storage solution with our CDN service is to create a customer origin configuration that points to AWS S3.

Key information:

AWS S3 Bucket Name

Make sure that the AWS S3 bucket name is referenced by one of the following components:

If your links do not already reference the AWS S3 bucket name, then the easiest setup is to either include the AWS S3 bucket name in a customer origin or edge CNAME configuration.

Referencing the AWS S3 bucket name by more than one component will result in an invalid configuration.

The following sample scenarios demonstrate valid configurations.

Customer OriginIndicates the host header defined in a customer origin configuration. Edge CNAME's Relative Path Request

mybucket.s3.amazonaws.com

[Blank]

https://cdn.mydomain.com/marketing/ad.pdf

s3.amazonaws.com

/mybucket

https://cdn.mydomain.com/marketing/ad.pdf

s3.amazonaws.com

[Blank]

https://cdn.mydomain.com/mybucket/marketing/ad.pdf

Authentication & HTTPS Setup

Our edge servers must provide authentication information when communicating with AWS servers. This authentication information consists of your AWS KI (Key ID) and SAK (Secret Access Key). This authentication information is sensitive and should not be broadcasted as unencrypted text. Therefore, it is important to ensure that your customer origin is configured to only use HTTPS when communicating with AWS servers. This type of configuration will encrypt the request/response between the edge server and the AWS server. As a result, your AWS KI and SAK will be encrypted as well.

Ensure end-to-end encryption of the request/response by performing the following steps:

  1. Prepare for HTTPS delivery by requesting a TLS certificate through Certificate Provisioning System.

  2. Configure your customer origin configuration to only use HTTPS.

    1. Disable the customer origin's HTTP Edge Protocol option.
    2. Enable the customer origin's HTTPS Edge Protocol option and point it to the desired AWS S3 hostname.

      Use the HTTPS protocol when defining this hostname.

      Sample hostnames:

      https://s3.amazonaws.com

      https://BucketName.s3.amazonaws.com

  3. Create an edge CNAME configuration that points to the customer origin configuration configured above. Add or update a CNAME record via your DNS service provider.

    Learn more.

Requests to AWS S3 content via our CDN service will not be honored until our personnel has configured your customer origin to authenticate requests.

Requesting AWS S3 Integration

As previously mentioned, a custom configuration will be applied to your customer origin to automatically authenticate all requests to AWS S3 origin servers. Before this integration process can take place, you will need to provide the following information to your CDN account manager:

Linking to AWS S3 Content

Links to AWS S3 content should not be made publicly available until CDN personnel have added AWS S3 support to the corresponding customer origin.

The syntax for links to AWS S3 content varies according to the component where the AWS S3 bucket name is defined. The syntax for each supported configuration is provided below.

Customer Origin

This section applies to a customer origin whose Host header includes the AWS S3 bucket name (e.g., mybucket.s3.awsamazon.com). Link to AWS S3 content using a standard CDN or edge CNAME URL.

Edge CNAME

This section applies to an edge CNAME whose relative path has been set to the AWS S3 bucket name (e.g., /mybucket). Link to AWS S3 content using a standard edge CNAME URL.

Sample Edge CNAME URL (HTTPS):

https://cdn.mydomain.com/campaign/asset.png

Request

This section applies to requests that will directly reference the AWS S3 bucket name (e.g., /mybucket). Link to AWS S3 content using a CDN or edge CNAME URL that includes the bucket name.