CloudFront authorization with Cognito for CDK
Easily add Cognito-based authorization to your CloudFront distribution,
to place static files behind authorization.
This is based on https://github.com/aws-samples/cloudfront-authorization-at-edge.
Usage
npm install @henrist/cdk-cloudfront-auth
Deploy the Lambda@Edge functions to us-east-1:
const authLambdas = new AuthLambdas(this, "AuthLambdas", {
regions: ["eu-west-1"],
})
Deploy the Cognito and CloudFront setup in whatever region
of your choice:
const auth = new CloudFrontAuth(this, "Auth", {
cognitoAuthDomain: `${domain.domainName}.auth.${region}.amazoncognito.com`,
authLambdas,
userPool,
})
const distribution = new cloudfront.Distribution(this, "Distribution", {
defaultBehavior: auth.createProtectedBehavior(origin),
additionalBehaviors: auth.createAuthPagesBehaviors(origin),
})
auth.updateClient("ClientUpdate", {
signOutUrl: `https://${distribution.distributionDomainName}${auth.signOutRedirectTo}`,
callbackUrl: `https://${distribution.distributionDomainName}${auth.callbackPath}`,
})
If using CloudFrontWebDistribution
instead of Distribution
:
const distribution = new cloudfront.CloudFrontWebDistribution(this, "Distribution", {
originConfigs: [
{
behaviors: [
...auth.authPages,
{
isDefaultBehavior: true,
lambdaFunctionAssociations: auth.authFilters,
},
],
},
],
})
Customizing authorization
The CloudFrontAuth
construct accepts a requireGroupAnyOf
property
that causes access to be restricted to only users in specific groups.