I am currently working on a little project where I’m serving up an object from an S3 bucket behind cloudfront. I’m studying for certification so I thought it would be useful to have a real world play. Previously, anyone could access the bucket and assosciated object if they had the url that I generate, now I am using the cloudfront signer in a lambda to sign the url that is served up through the front-end. But I want to go further… I want to have it so that only a specific IAM group or assumed role is able to use the link. Say, I have manager staff and restaurant staff – I want the frontend link to be visible to both, but only usable by the manager staff.