1
00:00:00,720 --> 00:00:01,830
‫So now let's discuss

2
00:00:01,830 --> 00:00:06,830
‫how we can generate keys to sign the URLs with CloudFront.

3
00:00:07,840 --> 00:00:10,570
‫And there are two types of signers

4
00:00:10,570 --> 00:00:15,380
‫and the new recommended way is to use a trusted key group.

5
00:00:15,380 --> 00:00:18,160
‫And the idea is that I'll show you the hands-on in a second.

6
00:00:18,160 --> 00:00:21,480
‫We can leverage the APIs to create and rotate these keys.

7
00:00:21,480 --> 00:00:23,610
‫And we can leverage IAM for API security

8
00:00:23,610 --> 00:00:28,125
‫around the management of these key group and the API key,

9
00:00:28,125 --> 00:00:29,450
‫the public keys in this key group.

10
00:00:29,450 --> 00:00:32,160
‫The other method that was originally supported

11
00:00:32,160 --> 00:00:33,680
‫in the first one that existed

12
00:00:33,680 --> 00:00:37,440
‫was to use an account that contains a CloudFront key pair.

13
00:00:37,440 --> 00:00:38,920
‫But for this, to manage this key pair,

14
00:00:38,920 --> 00:00:40,980
‫we need to use the root account credentials

15
00:00:40,980 --> 00:00:44,360
‫as well as the AWS console, which is not recommended

16
00:00:44,360 --> 00:00:46,640
‫because you shouldn't use the root account for this.

17
00:00:46,640 --> 00:00:48,360
‫And also you cannot automate anything

18
00:00:48,360 --> 00:00:50,290
‫because there are no APIs

19
00:00:50,290 --> 00:00:52,050
‫to manage this platform key pair.

20
00:00:52,050 --> 00:00:54,890
‫So the recommended way now is users trusted key group.

21
00:00:54,890 --> 00:00:56,330
‫So just so you know.

22
00:00:56,330 --> 00:00:58,870
‫So we can create one or more trusted key group

23
00:00:58,870 --> 00:01:00,500
‫in our CloudFront distribution.

24
00:01:00,500 --> 00:01:03,270
‫Then we generate our own public and private key.

25
00:01:03,270 --> 00:01:05,550
‫The private key will be used by your applications.

26
00:01:05,550 --> 00:01:09,310
‫For example, your EC2 instances to sign your URLs.

27
00:01:09,310 --> 00:01:11,160
‫Whereas the public key that is going to be

28
00:01:11,160 --> 00:01:12,480
‫uploaded by CloudFront

29
00:01:12,480 --> 00:01:16,220
‫will be used to verify the signature of these URLs.

30
00:01:16,220 --> 00:01:18,770
‫So let me just show you in the interface,

31
00:01:18,770 --> 00:01:21,420
‫the console where these options are.

32
00:01:21,420 --> 00:01:24,100
‫So let's have a look at key managements for CloudFront.

33
00:01:24,100 --> 00:01:25,170
‫And on the left hand side,

34
00:01:25,170 --> 00:01:27,020
‫I have public keys and key groups.

35
00:01:27,020 --> 00:01:28,300
‫So let me click on public keys.

36
00:01:28,300 --> 00:01:31,050
‫So the idea is that we want to generate an RSA key,

37
00:01:31,050 --> 00:01:33,210
‫so a private key and a public key,

38
00:01:33,210 --> 00:01:35,840
‫and the private key will go on my EC2 instances

39
00:01:35,840 --> 00:01:37,580
‫and the public key will go on CloudFront.

40
00:01:37,580 --> 00:01:39,640
‫And this will allow my EC2 instances

41
00:01:39,640 --> 00:01:42,890
‫to use the platform API, to create signed URLs.

42
00:01:42,890 --> 00:01:44,610
‫So first we need to generate this key.

43
00:01:44,610 --> 00:01:49,610
‫So I will type in generates RSA key online,

44
00:01:49,780 --> 00:01:52,217
‫2,048 bit.

45
00:01:52,217 --> 00:01:55,510
‫Let's take the first website for example.

46
00:01:55,510 --> 00:01:59,980
‫I'm going to choose a key size of 2,048 bits.

47
00:01:59,980 --> 00:02:01,220
‫This is very important.

48
00:02:01,220 --> 00:02:03,493
‫And generate these new keys.

49
00:02:03,493 --> 00:02:07,080
‫And I need to wait about three seconds for me at least.

50
00:02:07,080 --> 00:02:10,020
‫And so we have a private key part and a public key part.

51
00:02:10,020 --> 00:02:11,620
‫So the private key is what would be

52
00:02:11,620 --> 00:02:14,910
‫used by your EC2 instances to generate this URL.

53
00:02:14,910 --> 00:02:17,490
‫This is something you want to keep secret and keep private,

54
00:02:17,490 --> 00:02:20,100
‫and you would save it somewhere, securely.

55
00:02:20,100 --> 00:02:22,290
‫And that the public key can actually be regenerated

56
00:02:22,290 --> 00:02:24,310
‫from the private key if you ever needed to.

57
00:02:24,310 --> 00:02:27,230
‫But the public key is what we will send into CloudFront.

58
00:02:27,230 --> 00:02:29,398
‫So back into CloudFront for my public key,

59
00:02:29,398 --> 00:02:30,430
‫that will create a public key.

60
00:02:30,430 --> 00:02:32,290
‫Call this one demo key.

61
00:02:32,290 --> 00:02:33,620
‫And then for the key itself,

62
00:02:33,620 --> 00:02:36,350
‫I'm going to just paste what I have obtained

63
00:02:36,350 --> 00:02:38,680
‫as a public key from the websites.

64
00:02:38,680 --> 00:02:41,300
‫And now the public key has been successfully created.

65
00:02:41,300 --> 00:02:42,200
‫If you get any errors,

66
00:02:42,200 --> 00:02:44,870
‫just make sure that you are using a 2,048 bits.

67
00:02:44,870 --> 00:02:46,690
‫And if the first key doesn't work,

68
00:02:46,690 --> 00:02:48,710
‫just click on generate new keys one more time

69
00:02:48,710 --> 00:02:50,980
‫to generate a key of 2,048 bits.

70
00:02:50,980 --> 00:02:55,020
‫So now that we have our public key being created,

71
00:02:55,020 --> 00:02:57,190
‫what I can do is I can create a key group.

72
00:02:57,190 --> 00:03:01,120
‫And so I will create a demo key group.

73
00:03:01,120 --> 00:03:03,780
‫And in this group I can add up to five public keys.

74
00:03:03,780 --> 00:03:05,950
‫So I'll just add the one I just created.

75
00:03:05,950 --> 00:03:07,160
‫And that this key group

76
00:03:07,160 --> 00:03:09,660
‫is what will be referenced by CloudFront

77
00:03:09,660 --> 00:03:13,140
‫to allow our users, our CE2 instances, for example,

78
00:03:13,140 --> 00:03:15,870
‫to create signed URLs.

79
00:03:15,870 --> 00:03:17,590
‫So something to note is that I'm logged in

80
00:03:17,590 --> 00:03:19,410
‫as the root user of my account,

81
00:03:19,410 --> 00:03:21,690
‫but any IAM user with a sufficient permissions

82
00:03:21,690 --> 00:03:26,100
‫could create public keys and key groups within CloudFront.

83
00:03:26,100 --> 00:03:29,110
‫But I can also show you the old way of doing things

84
00:03:29,110 --> 00:03:30,250
‫for adding keys into CloudFront.

85
00:03:30,250 --> 00:03:33,130
‫So as you can see, I'm logged in as my root account

86
00:03:33,130 --> 00:03:34,430
‫and it's necessary.

87
00:03:34,430 --> 00:03:37,330
‫And let me go to the AWS management console

88
00:03:37,330 --> 00:03:39,060
‫and from here, click on my accounts

89
00:03:39,060 --> 00:03:40,580
‫and my security credentials.

90
00:03:40,580 --> 00:03:42,990
‫So this is something you're doing from your root accounts.

91
00:03:42,990 --> 00:03:45,570
‫And as you can see, there's a CloudFront key pair section.

92
00:03:45,570 --> 00:03:47,270
‫And this is how you would use CloudFront

93
00:03:47,270 --> 00:03:49,620
‫to create signed URLs the old way.

94
00:03:49,620 --> 00:03:52,480
‫The new recommended way is definitely to use

95
00:03:52,480 --> 00:03:53,640
‫what we've been showing before,

96
00:03:53,640 --> 00:03:55,850
‫which was using the key groups in CloudFront.

97
00:03:55,850 --> 00:03:58,100
‫But if you want to see how the old way was happening,

98
00:03:58,100 --> 00:04:00,170
‫we had to login using the root accounts.

99
00:04:00,170 --> 00:04:01,770
‫Then we would create a new key pair

100
00:04:01,770 --> 00:04:03,030
‫or upload our own key pair.

101
00:04:03,030 --> 00:04:04,770
‫So let's create a new key pair.

102
00:04:04,770 --> 00:04:06,886
‫Then we will download the private key file

103
00:04:06,886 --> 00:04:09,500
‫and then download the public key file

104
00:04:09,500 --> 00:04:10,333
‫and click on close.

105
00:04:10,333 --> 00:04:12,350
‫Now this key would be added

106
00:04:12,350 --> 00:04:13,720
‫and that we could make it active,

107
00:04:13,720 --> 00:04:15,720
‫inactive, or deleted if we wanted to.

108
00:04:15,720 --> 00:04:17,930
‫But this would apply to any CloudFront distributions

109
00:04:17,930 --> 00:04:19,130
‫and we will need to create,

110
00:04:19,130 --> 00:04:22,710
‫and to give these private keys to our EC2 instances.

111
00:04:22,710 --> 00:04:24,260
‫But this is not as secure,

112
00:04:24,260 --> 00:04:27,390
‫and this can only be done by the root account.

113
00:04:27,390 --> 00:04:29,520
‫So definitely from an exam perspective,

114
00:04:29,520 --> 00:04:32,010
‫the new way of doing things is absolutely

115
00:04:32,010 --> 00:04:34,050
‫to use the CloudFront service

116
00:04:34,050 --> 00:04:36,960
‫and the capability that allows any of the IAM user to do it,

117
00:04:36,960 --> 00:04:40,290
‫which is using public keys and key groups.

118
00:04:40,290 --> 00:04:41,230
‫So that's it for this section.

119
00:04:41,230 --> 00:04:44,180
‫I hope you liked it and I will see you in the next lecture.