What does key, key pair and signature mean here?

Question

I was reading How are possible uses for X.509 (SSL) certificates denoted? here on Security SE. It begins with:

X.509 certificates can be used for servers, clients, email, code signing and more applications. http://twitpic.com/6gdxaq indicates that a certificate...

This is the twitpic image. It was from an incident in 2011, where a rogue google.com certificate from DigiNotar had code-signing capability. I wanted to look at the image more closely, then noticed something I don't understand.

When viewing the full-sized image in Google Chrome browser, I see a long Cloudfront domain URL. It starts with http://d3j5vwomefv46c.cloudfront.net/photos/large/390320594.jpg? and has three parts concatenated to the end of it.

Here's my question: What do the three parts (key, Key-Pair-ID and Signature) mean in that Cloudfront URL?

1. key=409511&Expires=1358170888
2. Key-Pair-Id=APKAIYVGSUJFNRFZBBTA
3. Signature=ZLwi3pS71nfx0MzKMdFMQZYwYtKjzxnoIgLxDa6X16o3K7pjtywH-Sqm7rvZqe3XH0ELZb4fQffF5lWG2h2PF4ONGCoCL6zQKfr~Ep9raiUPM1pO1LbrUDZEJBoYSURAecyNJsctRd9wJgKoFnEkHnSfvsNexYx-Y91cTVmYPQc_

Is it analogous to the keys and signature for X.509 SSL certificates? (That's was why I included so much information about the prior question, in case of similarities.) Or does it pertain to authentication, instead of authorization?

Answer 1

It seems that Amazon is using this mechanism for authenticating requests to the CloudFront Servers. Read more here and here.

You generate a key pair using your Amazon account and sign certain URLs that point to private resourcesa and you distribute this signed URLs to the people you want to access your site. The parameters help identify the key that signed the URL(your private key) and the time until the URL can be accessed using this link.

This is how Amazon checks that you authorize the connection at that specific time.