Skip to content

Instantly share code, notes, and snippets.

@studybuffalo

studybuffalo/aws_setup_for_django_media.rst

Last active December 16, 2019 04:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save studybuffalo/89f441d6d6453dc0de80313d670d6f92 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save studybuffalo/89f441d6d6453dc0de80313d670d6f92 to your computer and use it in GitHub Desktop.
Download ZIP
A summary of how to securely serve Django media files using Amazon S3 and CloudFront
Raw
aws_setup_for_django_media.rst

AWS Setup for Django Media Files

This setup outlines how to setup various Amazon Web Service (AWS) Services (e.g. S3, CloudFront, Certificate Manager, IAM) to securely distribute files via Django an django-storages.

Identity and Access Management

Groups

This will first setup a group that controls the access the user will have.

  1. Go to the Identity and Access Management (IAM) console. Under Access management choose Groups.
  2. Click on the Create New Group buttons.
  3. Give your group a name, choose a policy (e.g. AmazonS3FullAccess), and save your changes.

Users

Next you will want to create a user to access you S3 content via Django.

  1. Go to the Identity and Access Management (IAM) console. Under Access management choose Users.
  2. Click on the Add User button.
  3. Add a user name, set the Access type as Programmatic access, add the user to the group you have created previously, review your changes and then save them.

Creating CloudFront Key Pairs

  1. Log into the AWS Management Console with the root user (cannot use an IAM user for this).
  2. Click on your name on the top right and choose My Security Credentials.
  3. Under the CloudFront key pairs choose the Create New Key Pair button.
  4. Download the Private Key File and securely store it. You will use this key to sign URLs to authenticate your requests via CloudFront.

Certificate Manager

You will likely want to setup a certificate so your content can be served over HTTPS. You will want to do this earlier since it will take time for the required DNS records to propogate.

  1. Go to the Certificate Manager console.
  2. Click on the Request a certificate button.
  3. Choose the Request a public certificate option, enter in your domains that will be used to serve the content (you may want to use a subdomain like aws.my.domain.com), choose DNS validation, and then save your changes.
  4. Once the request is complete you will want to find your certificate in the console. Under the Status section you should see your domains and the CNAME records you will need to create.
  5. After you have created the DNS records you can come back to the console to check for when the domain has been verified and the certificate is issued. You will need the certificate to be issued to setup CloudFront.

Amazon S3

You will need a bucket to store all your media files. You can reuse a bucket if desired, but it is probably better and more secure to use a separate bucket for each application.

  1. Go to the Amazon S3 console and choose the Buckets section.
  2. Click on the Create bucket button.
  3. Give the bucket a unique name, set your region, choose your basic properties, uncheck the Block public access checkboxes (you will restrict access via a Bucket Policy once CloudFront is setup), and then create your bucket.

CloudFront

CloudFront is used to direct and authenticate requests for the media files. You will need to complete the steps in the Certificate Manager and S3 to proceed with these steps.

Origin Access Identity

You will need to create an Origin Access Identity so that you can create and authenticate signed URLs.

  1. Go to the CloudFront console. Under Security choose Origin access identity.
  2. Click on the Create Origin Access identity button.
  3. Give the identity a unique name/identifier in the Comment field and then click the Create button.

Distributions

You will create a CloudFront distribution to manage access to your S3 bucket. You will need to have completed the previous Amazon S3 and Origin Access Identity sections.

  1. Go to the CloudFront console and choose the Distributions section.
  2. Click on the Create Distribution button.
  3. Setup the following settings and click the Create Distribution button when you are done.
    • Choose a Web distribution.
    • Origin Domain Name: select your S3 bucket from the dropdown list.
    • Origin Path: leave blank.
    • Origin ID: provide a unique identifier to identify this origin.
    • Restrict Bucket Access: select Yes.
    • Viewer Protocol Policy: choose as needed (Redirect HTTP to HTTPs preferred).
    • Allowed HTTP Methods: as your application needs.
    • Restrict Viewer Access: select Yes.
    • Trusted Signers: select Self
    • Other settings can be selected as needed based on the situation.
  4. Find your distribution in the console and click on it to open its settings.
  5. Under the General tab, click the Edit button. Update the following settings and click the Yes, Edit button.
    • Alternate Domain Names: setup the domain names you want to use to access CloudFront from (if desired). You will need to update your DNS settings with a CNAME record for each custom domain name that references to CloudFront domain name.
    • SSL Certificate: choose the Custom SSL Certificate option and select the certificate you setup earlier from the dropdown list.
  6. Under the Origins and Origin Groups tab, click your origin and then the Edit button. Update the following settings and click the Yes, Edit button.
    • Origin Access identity: choose the identity you created earlier.
    • Grant Read Permissions on Bucket: choose No, I Will Update Permissions.

Updating Amazon S3 Settings

  1. Go to the Amazon S3 console and choose the Buckets section.
  2. Choose the bucket you wish to associate your CloudFront distribution. Click on Permissions tab and then the Access Control List button.
  3. Under the Access for other AWS accounts click on the Add account button. Add the canonical ID for the Origin Access Identity you created earlier.
  4. Continue by clicking on the Bucket Policy button on the top of the page.
  5. Enter in the following information (changing the noted sections as appropriate) and then click the Save button.
{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity <your origin access identity ID>"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<this bucket name>/*"
        }
    ]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment