This pattern creates a secure content delivery solution using CloudFront signed cookies. Users authenticate through Amazon Cognito via API Gateway Lambda functions.

Upon successful login, the Lambda function generates CloudFront signed cookies that grant time-limited access to private S3 content behind the CloudFront distribution.

The CloudFront distribution uses Origin Access Control (OAC) to securely access private S3 content. Public content is accessible without authentication, while private content requires valid signed cookies.

The signed cookies use RSA key pairs, with the private key stored securely in AWS Secrets Manager and the public key configured in a CloudFront Key Group.