---
title: >-
  CloudFront distributions should use trusted key groups for signed URLs and
  cookies
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > CloudFront distributions should use
  trusted key groups for signed URLs and cookies
---

# CloudFront distributions should use trusted key groups for signed URLs and cookies
 
## Description{% #description %}

Use trusted key groups for signed URLs and cookies in CloudFront distributions instead of trusted signers (CloudFront key pairs).

Trusted key groups enhance key management by allowing you to use AWS-managed keys and IAM for access control. This rule passes when trusted key groups are configured, and trusted signers are removed.

## Remediation{% #remediation %}

Configure trusted key groups for your CloudFront distribution. For information about choosing a signer and configuring trusted key groups, see [AWS Documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html).