Geek Answers Handbook

What is the difference between Canned Policy and Custom Policy?

I am looking for an answer at a conceptual level. Therefore, please refrain from simply providing a link to the aws documentation as an answer.

How canned policies are created by boto

@staticmethod def _canned_policy(resource, expires): """ Creates a canned policy string. """ policy = ('{"Statement":[{"Resource":"%(resource)s",' '"Condition":{"DateLessThan":{"AWS:EpochTime":' '%(expires)s}}}]}' % locals()) return policy

And that’s how a custom policy is created by the same library.

 @staticmethod def _custom_policy(resource, expires=None, valid_after=None, ip_address=None): """ Creates a custom policy string based on the supplied parameters. """ condition = {} # SEE: http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/RestrictingAccessPrivateContent.html#CustomPolicy # The 'DateLessThan' property is required. if not expires: # Defaults to ONE day expires = int(time.time()) + 86400 condition["DateLessThan"] = {"AWS:EpochTime": expires} if valid_after: condition["DateGreaterThan"] = {"AWS:EpochTime": valid_after} if ip_address: if '/' not in ip_address: ip_address += "/32" condition["IpAddress"] = {"AWS:SourceIp": ip_address} policy = {"Statement": [{ "Resource": resource, "Condition": condition}]} return json.dumps(policy, separators=(",", ":"))

In my opinion, canned policy is essentially a custom policy, but with fewer attributes.

If this is a correct observation, then why do we need two different classes of politics?

+5
source share
1 answer

Yes, a canned policy can only pass a specific subset of the attributes of a custom policy, but the difference between them is more important.

When you use a canned (predefined) policy, the content of the resulting legitimate policy document is so deterministic and predictable β€” from the request elements themselves β€” that the political document does not even need to be sent to CloudFront along with the request.

Instead, it is generated locally so you can sign it, but then it is discarded. The server generates an identical document based on the request parameters and verifies the signature.

Unlike a custom policy, the policy document itself is sent with a base-64 encoded request at &Policy= in the URL. This makes the URL longer because the policy document needs to be sent together, but the policy document itself can now contain elements that cannot be simply extrapolated from the request by a simple survey.

Canned policies (at least to some extent) are β€œlighter” - shorter URLs mean fewer bytes included in the request and slightly less processing needed to use them, but they have less flexibility than user policies.

Comparison Matrix: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

+6
source

More articles:


All Articles